"•..•NT  , 


••  » .  t  -v 

'  •••»  -u'v'  ' 


DERSHIP 


BUSINESS  R 


,o\ 


t<cf» 


w 


4&t  & 


rt\0^- 


ADVERTISEMENT  MARCH  2010 


Building  protection  around  your  applications 
isn't  enough.  You've  got  to: 

FIND  the  vulnerabilities  inside  your  software 
FIX  them  quickly  and  cost  effectively 
FORTIFY  your  applications  with  security 


We're  ready  to  show  you  how  » 


FORTIFY 


\4&M 


There  isn't  an  "easy  button"  for  good  Application  Security, 
but  luckily  all  you  have  to  remember  is  3  little  words. 

As  the  head  of  Information  Security  at  your  organization,  you're  doing  all  the  right  things  to  secure  the  network 
and  your  users'  desktop  computers.  Now  it's  time  to  start  looking  inside  your  software. 

Dangerous  vulnerabilities  are  lurking,  so  first  you  need  to  locate  them  quickly  and  easily.  Next  step  is  to 
systematically  contain  and  remove  them.  But  the  secret  sauce  of  sound  application  security  is  the  final  step  - 
to  Fortify  the  software  that  runs  your  business.  Fortify  Software  actually  makes  your  critical  applications 
stronger  by  giving  you  solutions  to  build  in  better  security. 

Fley,  we  realize  building  a  robust  Software  Security  Assurance  program  isn't  child's  play.  No  need  to  worry, 
Fortify  has  it  all  figured  out.  With  award-winning  products,  developer  security  training,  and  methods  proven 
across  more  than  700  successful  customer  deployments,  Fortify  can  show  you  the  way. 


IDENTIFICATION 


GOVERNANCE 


COMPLIANCE 


REMEDIATION 


APP  DEFENSE 


Discover  How  to  Fortify  Your  Software. 

□  Attend  a  Local  Fortify  Event 

Chances  are  Fortify  is  coming  to  your  neck  of  the  woods.  We  routinely  gather  the  leaders  in  Software  Security 
Assurance  together  for  informative  sessions  designed  to  help  you  understand  how  to  mitigate  software  security  risk. 

□  Read  up  on  Best  Practices 

Visit  Fortify.com  and  download  our  CISO  Guides  to  Software  Security  Assurance,  including  case  studies  on 
how  the  world's  leading  companies  Fortified  their  own  software. 

Get  the  Latest  News  in  Your  Inbox 


Sign  up  for  our  newsletter  and  we'll  keep  you  informed  each  month  with  features  and  links  about 
the  latest  trends  and  issues  in  Software  Security  Assurance. 


UNDERCARD 

Body  off  Work 

Biometric  access, 
considered  PAGE  20 

Open  Sesame 

Now  where  did  you 
put  those  keys?  PAGE  28 


WWW.' 


Jaquith 


r  V 

. 

I 

i _ 

1 

Smarter  technology  for  a  Smarter  Planet: 


Finding  meaning 
in  the  noise. 


An  unprecedented  amount  of  information  flows  through  companies  every 
day.  But  to  what  effect?  A  recent  study  found  that  52%  of  managers  have 
no  confidence  in  the  information  they  rely  on  to  do  their  job.  And  42%  of 
them  actually  use  the  wrong  information  at  least  once  a  week.  Without 
the  right  approach  to  business  intelligence,  companies  struggle  to  turn  all 
that  information  into  sound  decisions. 

IBM  business  intelligence  and  performance  management  solutions  give 
you  the  smarter  tools  you  need  to  access  the  right  information,  making 
it  available  to  the  right  people  when  and  how  they  need  it.  Today  IBM 
is  helping  over  20,000  companies  spot  trends,  mitigate  risk  and  make 
better  decisions,  faster.  In  fact,  we  helped  a  major  retail  supplier  achieve 
this  by  cutting  their  average  financial  reporting  time  by  almost  50%. 

A  smarter  business  needs  smarter  software,  systems  and  services. 

Let’s  build  a  smarter  planet,  ibm.com/intelligence 


\  t  / 


IBM,  the  IBM  logo,  ibm.com,  Smarter  Planet  and  the  planet  icon  are  trademarks  of  International  Business  Machines  Corp.,  registered  in  many  jurisdictions  worldwide.  Other 
product  and  service  names  might  be  trademarks  of  IBM  or  other  companies.  A  current  list  of  IBM  trademarks  is  available  on  the  Web  at  www.ibm.com/legal/copytrade.shtml. 


March  2010  V0I.9,  No.  2 


Features... 

24  Battle 
of  the  Brains 

Cover  Story  I  Information 
Security  Two  information 
security  experts  take  on 
three  critical  questions  about 
where  the  field  is  heading. 

28  Forgotten  Keys 

Access  Control  Pass  cards 
get  all  the  attention,  but  your 
facilities  still  have  physical  keys 
for  cabinets,  lockers-even  doors. 

Do  you  know  where  they  are  and  what 
they  go  to?  By  Michael  Fitzgerald 


Also  Inside... 


4  From  the  Editor 
6  From  the  Publisher 

8  Join  the  Discussion 

Legacy  Vendor  Agreements 
and  Mass.’s  Data  Law;  Trends 
in  Mobile  Payment  Are 
Frightening;  Time  to  Rethink 
Encryption 

11  Briefing 

■  DDoS  Takes  Aim  at  Layer  7 

■  How  IT  Security  Tech  Can 
Make  Things  Worse 

■  Why  Your  Smartphone 
Is  Stupid  Easy  to  Hack 

■  Security  Wisdom  Watch: 
Technology  Edition 

■  FarmVille’s  Dark  Underbelly 

■  New  Russian  Botnet 
Tries  to  Kill  Rival 

■  P2P  Snoopers  Know 
What’s  in  Your  Wallet 


20  Biometrics  in 
the  Real  World 
Toolbox  Biometric  access 
control  has  long  struggled  to 
provide  enough  payoff  for  the 
pain.  Here  are  the  practical 
strengths  and  weaknesses  of 
the  most  common  biometric 
tools.  ByMaryBrandel 

31  Measuring  the  Health 
of  Corporate  Security 
CSOView  How  to  get 
mahogany  row  to  add 

risk  management  to 
corporate  checkups. 

By  George  Campbell 

32  Debriefing 

Classified  Information 


CSO0SSN 1540-904X)  is  published  monthly  except  for  a  combined  issue  in  July/August  and  December/January  by  CXO  Media  Inc.,  492  Old  Connecticut  Path,  P.O.Box  9208.  Framingham,  MA  01701-9208.  Periodical  Postage  Rateat 
Framingham,  MA01701,  and  atadditional  mailingoffices.  Canadian  Publications  Mail  agreement  number  1902075.  Canadian  Postmaster:  Please  return  undeliverablecopytoP.O.  Boxl632,Windsor,ONN9A7C9.Copyright2010by 
CXO  Media  Inc.  All  rights  reserved.  Reproduction  of  material  appearingin  CSO  isforbidden  without  written  permission.  Permission  to  photocopyforinternal  or  personal  useorthe  internal  or  personal  use  of  specific  clients  is  granted 
by  CSO  for  usersthrough  theCopyright  Clearance  Center,  provided  that  afee  of  $3.50  per  copy  of  the  article  is  paid  directly  to  Copyright  Clearance  Center,  222  Rosewood  Drive,  Danvers.  MA  01970.  www.copyright.com.  Please  specify: 
ISSN1540-904X.  Permission  to  photocopy  does  not  extend  to  contributed  articles-followedbythissymbokif.Addressinquiriesto  CSO,  P.O.  Box  3482,  Northbrook,  IL60065;  866  354-1125.  CSO  is  freeto  qualified  security  executives. 
Toallotherstheone-yearbasicrateis$70forthe  United  States  and  Canada,  $95  to  foreign  countries  (payable  in  U.S.  funds  only).  The  single  copy  price  is  $9totheU.S.and  Canada  and  $15  International.  Please  allowfourtosixweeks 
for  new  subscriptions  to  begin.  Change  of  Address:  Go  to  www.omeda.com/custsrv/cso  and  follow  the  online  instructions.  Postmaster:  Send  change  of  address  to:  CSO,  P.O.  Box  3482,  Northbrook,  IL  60065.  Printed  in  the  USA. 


2  www.csoonline.com  March  2010 


Cover  illustration  by  Esteban 


FORTUNE  500 
COMPANIES  DON’T 
CHOOSE  SECURITY 
ON  A  WHIM. 


Over  95  percent  of  the  Fortune  500  choose  VeriSign  SSL  as  their  online  security  of  choice. 

Why?  Because  VeriSign  can  enable  the  strongest  encryption  available  and  has  the  most 
rigorous  authentication  standards.  Or  because  VeriSign®  Extended  Validation  (EV)  SSL  offers  the 
most  visible  site  security  available  by  displaying  the  green  address  bar  in  high-security  browsers, 
which  is  also  the  most  effective  defense  against  phishing  scams.  Add  it  up,  and  it’s  easy  to  see 
why  industry  leaders  choose  VeriSign— the  most  trusted  symbol  of  security  on  the  Web. 


It’s  powerful.  It’s  the  most  visible.  Learn  more  about  protecting 
your  site  and  your  customers  at  VeriSign.com/EVSSLPaper. 


TRUST  E  @ 

<6  2009  VeriSign,  Inc.  All  rights  reserved.  VeriSign,  the  VeriSign  logo,  the  Checkmark  Circle  logo,  the  VeriSign  Secured  logo,  and  other  trademarks,  service 
marks,  and  designs  are  registered  or  unregistered  trademarks  of  VeriSign,  Inc.,  and  its  subsidiaries  in  the  United  States  and  foreign  countries.  All  other 
trademarks  are  property  of  their  respective  owners. 


[  FROM  THE  EDITOR] 


Listening  In 

ny  field  that's  dominated  by  its  product 
and  service  vendors  is  an  immature 
field. 

Products  can  typically  solve  a  nar¬ 
row  problem,  but  if  you  lead  the  security  func¬ 
tion  at  a  large  organization,  narrow  problems 
are  rare.  Problems  are  connected  to  other 
problems  and  surrounded  by  all  the  fun  issues 
of  ownership  and  stewardship  and  coopera¬ 
tion  and  accounting  that  make  our  lives  rich 
and  rewarding.  (You  may  detect  a  tiny  hint  of 
sarcasm  here,  although  it’s  mixed  with  a  larger 
portion  of  sincerity.) 

Think  of  IT...er,  management  information 
systems. ..er,  data  processing  back  when  it  was 
all  Big  Blue  over  SNA.  Costs  were  high  and 
innovation  was  relatively  slow.  When  the  CIO 
voice  became  prominent-a  business  person 
running  the  IT  shop  based  on  the  needs  of  the 
business,  not  the  availability  of  whatever  the 
vendors  decided  to  put  out-that’s  when  IT 
started  to  enable  and  contribute  to  systemic 
change  and  improvement. 

That’s  why  the  primary  point  of  view  in  this 
publication  is  that  of  the  CSO,  rather  than  that 
of  the  vendors.  It’s  why  we  focus  more  on  chal¬ 
lenges  at  the  business-process  level  than  at 
the  level  of  narrow  security  problems.  We  are 
less  likely  to  write  about  a  particularly  nifty 
door  lock-useful  though  it  may  be-and  more 
inclined  to  look  at  the  challenge  of  keeping 
track  of  all  your  keys,  and  how  you  might  pair 
other  procedures  with  that  key  management 
process,  all  in  the  service  of  the  larger  goal  of 
letting  the  right  people  in  and  keeping  other 
people  out.  And  we  aim  to  primarily  source 
those  articles  by  talking  to  security  leaders. 

Nevertheless,  not  all  the  smart  people  in 
security  are  CSOs. 


In  this  issue,  we  feature  a  conversation 
between  two  smart  people  who  aren’t  CSOs. 
Andrew  Jaquith  works  for  Forrester.  Adam 
Shostack  works  at  Microsoft.  Eavesdropping 
on  them  on  via  their  books  and  blogs  and 
Twitter  streams,  it’s  clear  these  are  two  profes¬ 
sionals  with  strong  views  about  metrics  and 
processes  and  “best”  practices  and  many  of 
the  macro-challenges  that  CSOs  face. 

So  we  gave  them  a  microphone  and  got  out 
of  their  way. 

I  very  much  like  this  model  of  listening  in 
while  smart  people  talk  to  each  other.  One  of 
the  skills  of  a  good  journalist  is  the  ability  to 
shut  up  and  listen.  We’ve  taken  this  approach 
before,  sometimes  with  a  CSO  picking  the 
brain  of  an  expert  from  some  other  domain. 
For  example,  see  former  Cardinal  Health  CSO 


John  Hartmann’s  interview  with  author 
and  management  guru  Patrick  Lencioni  at 
www.csoonline.com/article/217394  and 
former  Boston  Scientific  CSO  Lynn  Mattice’s 
discussion  with  Ram  Charan  at  www.csoonline 
.com/article/221344. 

Who  else  would  you  like  to  hear  from- 
whether  CSO,  vendor,  author  or  something 
else  entirely?  E-mail  your  suggestions. 

-Derek Slater,  dslater@cxo.com 


Editor  in  Chief  Derek  Slater 
Senior  Editors 
Bill  Brenner,  Joan  Goodchild 
Copy  Editor 
Colleen  Barry 
Editorial  Administrator 
Pat  Josefek 
Contributors 

Mary  Brandel,  George  Campbell, 
Robert  McMillan,  Michael  Fitzgerald 

DESIGN 

Executive  Director,  Art  and  Design 

Mary  Lester 

Art  Director  Steve  Traynor 

RESEARCH 

Research  Manager  Carolyn  Johnson 

TECHNICAL  ADVISORY  BOARD 

Jason  Cowling 

Jeremiah  Grossman,  WhiteHat  Security 
Frank  Murphy,  TBG  Security 
Stephen  Northcutt,  SANS  Institute 
Richard  Power,  Carnegie  Mellon  CyLab 

EDITORIAL/ADVERTISING/ 
BUSINESS  OFFICES 

492  Old  Connecticut  Path, 

P.O.  BOX  9208, 

Framingham,  MA  01701-9208 
Main  phone  number:  508  872-0080 

CXO\  MEDIA  INC. 

INTERNATIONAL  DATA  GROUP 

Chairman  of  the  Board 
Patrick  J.  McGovern 

IDG  COMMUNICATIONS,  INC. 

CEO  Bob  Carrigan 
Chief  Content  Officer 

John  Gallant 


^BPA 


WORLDWIDE" 


4  www.csoonline.com  March  2010 


Photo  by  Webb  Chappell 


Visit  HID  Global  at  ISC  West,  Booth  #12051 


I  need... 

seamless  access  solutions 
that  are  convenient  and 
cost-effective. 


i 

ml 


TM 


HID  Globa!  revolutionized  physical  access  control  by  providing  a  secure  and  convenient 
method  to  gain  entry  to  doors.  Mirroring  the  same  user  experience,  HID  is  now 
revolutionizing  logical  access.  HID  on  the  Desktop™  delivers  user-friendly  convenience 
and  improved  risk  management  for  access  to  Windows®  and  IT  networks  by  using  the 
same  card  that  opens  your  doors  today. 


■■■ 


Contact  HID  Global  for  a  90-day  trial:  hidglobal.com/90daytrial/CSO 


[  FROM  THE  PUBLISHER  ] 


Know  Your 
Surroundings 

Years  ago,  l  was  in  California  on  business 
and  my  rental  car  came  with  an  early 
GPS  unit.  It  was  a  neat  novelty  and  irre¬ 
sistibly  appealing-l  was  always  travel¬ 
ing  around  with  stacks  of  maps  and  directions 
to  guide  me  to  my  meetings.  My  cohorts  and 
I  took  to  calling  the  GPS  “Melissa”  because  of 
the  sultry  woman’s  voice  that  guided  us  to  our 
destinations.  (This  also  led  to  some  awkward 
conversations  when  our  wives  could  hear 
Melissa’s  voice  in  the  background  during  a  cell 
phone  call.)  We  quickly  became  dependent  on 
Melissa  to  guide  us  and  stopped  bringing  those 
maps  and  printed  directions. 

On  one  particular  trip,  we  entered  our 
destination  into  the  GPS  and  Melissa  chirped 
up,  reminded  us  to  fasten  our  seat  belts  and 
started  us  on  our  way.  We  were  unfamiliar 
with  the  area,  so  we  were  happy  to  be  able  to 
follow  Melissa’s  confident,  spoken  directions 
with  only  an  occasional  glance  at  the  map  she 
displayed.  But  as  we  cruised  along,  we  failed 
to  notice  that  the  scenery  was  changing. 

The  strip  malls  that  lined  secondary 
highways  had  been  replaced  by  burned-out 
buildings,  liquor  stores  and  the  occasional 
abandoned  car,  and  we  were  being  eyed 
suspiciously  by  the  men  and  women  walking 
along  the  streets.  We  found  ourselves  at  an 
intersection-Florence  and  Normandie  in  Los 
Angeles.  Those  names  may  not  ring  a  bell  for 
some  of  you,  but  I  assure  you  they  were  fresh 
in  our  minds.  Earlier  that  decade  it  was  in  that 
intersection  that  Reginald  Denny  had  been 
pulled  from  his  truck  and  beaten  in  the  riots 
that  engulfed  the  area  in  1992.  Our  faith  in 
Melissa  was  shaken,  to  say  the  least.  We  had 
put  our  trust  in  a  new  technology  without  a 
thought  that  it  would  lead  us  anywhere  but  to 
our  chosen  destination. 


Many  people  and  businesses  make  this 
same  mistake  every  day.  We  let  ourselves 
rely  on  a  new  technology  or  process  without 
making  provisions  for  review  or  backup  in  case 
we’re  led  into  risky  situations.  We  throw  aside 
our  usual  cautions  or  suspicions  and  charge 
forward,  abandoning  situational  awareness. 

Maintaining  situational  awareness  is  a 
skill  we  all  need  to  practice.  Whether  you 
are  embracing  cloud  computing,  hiring  new 
employees,  entering  into  business  partner¬ 
ships  or  using  the  GPS  in  your  rental  car,  it’s 
critically  important  that  you  maintain  situ¬ 
ational  awareness  and  keep  a  weather  eye  on 
what  you’re  doing,  where  you’re  going,  and 
what  risks  you  may  be  encountering  so  you 
can  determine  what  lies  ahead  before  it’s  too 
late  to  do  anything  about  it. 


We  regrouped  that  day  and  moved  on 
quickly.  I  always  carry  a  backup  now.  Unfor¬ 
tunately,  I  just  realized  that  my  backup  is  the 
mapping  app  on  my  iPhone  and  that  I  have, 
again,  fallen  into  the  trap  of  complacency. 

Best  regards, 

-Bob  Bragdon,  bbragdon@cxo.com 


Advertiser  Index 


BeyondTrust . 7 

CSO . 10 

HIDCorp . 5 


IBM  Corp . C2 

ISACA . 13 

PhoneFactor . C3 

Trend  Micro  Inc . 16 


SecureWorks . . . . . .  C4 

Verisign . 3 


Group  Publisher  Bob  Melk 
Publisher  Bob  Bragdon 
Senior  National  Sales  Manager 

Per  Melker 

East  Coast  Regional  Sales  Manager 

Roz  Burke 

West  Coast  Regional  Sales  Manager 

Michelle  McHugh 
Sales  Associate 
Sarah  Nadeau 

INTEGRATED  MEDIA  AND 
ONLINE  SALES 

SVP,  Online  Sales  &  Ops 
Gregg  Pinsky 
VP,  Online  Sales 

Brian  Glynn 

East  Coast  Online  Regional 
Sales  Manager 
Richard  Hartman 
West  Coast  Online  Regional 
Sales  Manager 
Erika  Karr 

Central  Online  Regional 
Sales  Manager 

Stacy  Bryne 

Director,  Online  Account  Services 
Danielle  Tetreault 

Online  Account  Services  Specialists 

Jennifer  Malkasian,  Elise  Ryan, 
Tara  Shea 

CUSTOM  SOLUTIONS  GROUP 

Vice  President  Charles  Lee 
National  Sales  Directors 
Tom  Grimshaw,  Karen  Wilde 

PRODUCTION 

VP/Manufacturing  Chris  Cuoco 
Production  Manager  Heidi  Broadley 

EXECUTIVE  PROGRAMS 

SVP,  Executive  Programs 
Ellen  Daly 

Vice  President,  Event  Marketing 

Michael  Garity 

Sr.  Director,  Event  Operations 

Deb  Begreen 

VP,  Content  Development  &  Events 

Derek  Hulitzky 

MARKETING 

Vice  President,  Marketing 

Sue  Yanovitch 

Sr.  Marketing  &  PR  Specialist 
Lynn  Holmlund 

LIST  SERVICES 

Contact  Steve  Tozeski  of 
IDG  List  Services  at  508  820-8106  or 
stozeski@idglist.com 

REPRINTS  &  PERMISSIONS 

For  information  about  reprints  and 
copyright  permissions,  please  contact 
The  YGS  Group,  800-290-5460  ext.  129, 
cso@thevgsgroup.com 


ft  www.csoonline.com  March  2010 


Photo  by  Christopher  Navin 


Copyright©  201 0  BeyondTrust  Software,  inc.  All  rights  reserved.  BeyondTrust  is  a  registered  trademark  of  BeyondTrust  Software,  Inc. 


People  need  boundaries, 
not  walls. 

In  the  world  of  Web  2.0,  you  cannot  safely  distribute  full 
admin  rights  on  desktops  or  root  passwords  on  servers. 

So  how  do  you  protect  against  misuse  of  privileges, 
whether  intentional,  accidental  or  indirect,  without  stifling 
productivity?  By  allowing  specific  applications,  tasks  and 
commands.  BeyondTrust  makes  it  simple.  Transparently 
brokering  permissions  from  a  central  console,  it  enables 
users  to  work  without  interference,  and  provides  detailed 
privileged  access  logging,  key  logs,  and  audit  trails. 

So  don't  think  you  have  to  choose  between  security 
and  productivity,  or  risk  non-compliance. 

^  Delegate  privileges  with  certainty  and  clarity. . . 

^  with  BeyondTrust. 


O  beyond  trust 

privilege,  mode  simple 


beyondtrust.com 


What’s  on  your  mind?  Security  leaders  discuss 
and  debate  at  www.csoonlme.com 


BLOG  POST 

Legacy  Vendor 
Agreements 
and  Mass.'s 
Data  Law 


Michael  Overly  says  you  shouldn’t 
be  lulled  by  the  grandfather  clause 

Unless  you  have  been  on  an 
extended  vacation,  you 
likely  know  the  Massachu¬ 
setts  Data  Security  Law 
(Standards  for  the  Protec¬ 
tion  of  Personal  Information  of  Residents 
of  the  Commonwealth)  went  into  effect  on 
March  1, 2010. 

You  may  also  know  that  pre-existing, 
legacy  vendor  agreements  are  being 
grandfathered  in,  with  compliance 
deferred  until  March  1, 2012.  It  is  in  regard 
to  those  legacy  contracts  that  I  suggest 
businesses  start  work  now.  While  two 
years  seems  like  a  long  time,  those  two 
years  can  run  out  quickly  when  you  are 
trying  to  address  potentially  dozens,  even 


hundreds,  of  legacy  agreements. 

As  a  quick  review,  the  Massachusetts 
law  requires  that  all  legacy  service  pro¬ 
vider  agreements  be  compliant  by  March 
1, 2012.  Service  providers  are  defined 
under  the  law  as  “any  person  that  receives, 
stores,  maintains,  processes,  or  otherwise 
is  permitted  access  to  personal  informa¬ 
tion  through  its  provision  of  services 
directly  to  a  person  that  is  subject  to  this 
regulation.” 

I  recommend  starting  now  on  the 
process  of  identifying  all  relevant  service 
providers,  reviewing  their  contracts  and 
determining  which  of  those  relationships 
require  restructuring.  In  many  cases,  com¬ 
pliance  can  be  achieved  by  simply  having 
the  vendor  execute  a  brief  amendment  to 
the  existing  contract  addressing  compli¬ 
ance  with  the  Massachusetts  statute.  In 
other  instances,  a  reticent  vendor  may 
force  renegotiation  of  the  entire  underly¬ 
ing  agreement.  Worse  yet,  some  vendors 
may  refuse  to  amend  or  renegotiate  their 
agreements  at  all.  If  that  happens,  replace¬ 
ment  vendors  must  be  identified  and  new 
agreements  negotiated.  This  process  will 


take  time.  Given  that  context,  two  years 
is  a  relatively  short  time,  which  is  why 
businesses  should  start  their  compliance 
efforts  now. 

—Michael  Overly 

BLOG  POST 

Trends 
In  Mobile 
Payment  Are 
Frightening 

iPhones  might  become  capable 
of  reading  credit  card  swipes. 

Are  you  OK  with  that? 

o  I  really  want  someone  with 
an  iPhone  taking  my  credit 
card  info? 

There’s  been  enormous 
buzz  lately  about  all  of  the 
new  players  trying  to  turn  iPhones  and 
other  mobile  devices  into  credit  card  swipe 


MORE  ON  THE  WEB 

Job  Search  Resources 

CSOonline.com  features  a  free 
security  leadership  job  board,  sample  CSO 
resume  and  job  description,  interview 
tactics  and  much  more 

Start  your  search  at  www.csoonline.com/security/jobs/1 


8  www.csoonline.com  March  2010 


Photos  by  istockphoto.com 


terminals.  Very  scary.  Just 
because  someone  can  create 
a  website  does  not  mean  they 
understand  payments. 

So  many  questions: 

1.  Does  the  solution  use 
a  cryptographically  enabled 
swipe  reader? 

2.  Does  the  solution 
encrypt  credit  card  infor¬ 
mation  at  the  moment  it  is 
swiped? 

3.  Does  the  solution  store 
any  track  data? 

4.  Does  the  solution 
encrypt  all  sessions  back  to 
the  payment  gateway? 

5.  Will  it  support 
tokenization? 

6.  Is  the  solution  PCI  PIN 
Transaction  Security  (PTS) 
certified? 

7.  Is  the  solution  PCI  Pay¬ 
ment  Application  (PA)  DSS  certified? 

That’s  just  for  starters.  Now'  add  in 
questions  about  the  security  of  the  3G 
network  and  proper  Wi-Fi  configuration 
and  security,  and  you  could  be  creating  the 
perfect  recipe  for  massive  credit  card  data 
breaches.  These  things  are  designed  to 
“democratize”  the  taking  of  credit  cards  by 
the  little  guys,  but  should  payments  really 
be  democratized? 

There’s  no  constitutional  right  to  take 
credit  cards.  Taking  credit  cards  to  fuel 
your  business  is  a  responsibility.  It’s  our 
data  you’re  playing  with! 

Very  few  merchants— especially  the 
smaller  ones— understand,  or  even  care 
about,  security. 

—Forrester  Research 

BLOG  POST 

Time  to  Rethink 
Encryption 

Ed  Adams  says  quantum 
computing  has  changed  the  game 

odem  cryptographic 
systems  are  rapidly 
becoming  more  vulner¬ 
able-take  the  recent 
cracking  of  A5/1  GSM 


and  RSA  768  bit  as  examples.  But  the  real 
threat  for  long-term  crypto  security  comes 
from  Quantum  Computers:  mere  science 
fiction  two  years  ago,  but  now  quite  a  real¬ 
ity  and  getting  more  real  month  by  month. 
Recently  Google  and  the  National  Institute 
of  Standards  and  Technology  (NIST)  have 
demonstrated  and  used  quantum  comput¬ 
ing  for  large-number  calculations— spe¬ 
cifically,  Google  used  a  D-Wave  adiabatic 
quantum  effect  computing  machine  for 
image  searching  and  matching,  and  NIST 
announced  a  working  two  qubit  quantum 
computer  that  accurately  calculated  the 
precise  energy  of  molecular  hydrogen. 

The  events  in  the  quantum  comput¬ 
ing  space  and  the  speed  at  which  they 
are  occurring  are  a  clear  indication  of  the 
need  for  rapid  change  in  how  we  protect 
information,  be  it  at  rest  or  in  motion. 
Why?  Because  quantum  computers  will 
render  RSA  encryption  and  elliptic  curve 
cryptography  (ECC)  null  and  void.  Yes, 
that’s  right— these  two  industry  “stan¬ 
dards”  wdll  be  cracked  in  the  snap  of  a 
finger.  And  we’re  not  talking  decades 
away— usable  quantum  computers  wdll  be 
here  within  7-10  years.  Imagine  a  recon¬ 
naissance  satellite  whose  data  encryption 
and  authentication  is  suddenly  cracked 
and  open  for  anyone  to  see  (or  manipu¬ 
late).  Can’t  imagine  the  National  Security 
Agency  liking  that  one  bit. 


HOWTO 

REACH 

US 

You  can  contact  us 
directly  or  post  your 
thoughts  on  specific 
articles  and  blogs  at 
www.CSOonline.com. 

Derek  Slater,  Editor  in  Chief 
dslater@cxo.com 
508  935-4213 
Twitter:  @derekcslater 

Bill  Brenner,  Senior  Editor 
bbrenner@cxo.com 
508  988-7587 
Twitter:  @billbrenner70 

Joan  Goodchild,  Senior  Editor 
jgoodchild@cxo.com 
508  988-7994 
Twitter:  @msjoanieg 

Subscriber  Services 

Phone:  866  354-1125 
Fax:  847  564-9453 
E-mail:  cso@omeda.com 

Reprints  &  Permissions 

For  information  about  reprints 
and  copyright  permissions, 
please  contact  The  YGS 
Group,  800  290-5460,  ext. 

129,  cso@theygsgroup.com. 


We  must  cease  reliance  on  what  will 
soon  be  antiquated  (in  Internet  time)  tech¬ 
nology  for  protection.  This  year  at  the  RSA 
Conference  (March  1-5  in  San  Francisco) 
there  will  be  several  presentations  on  new 
crypto  mechanisms,  including  one  by  Bel¬ 
gian  researchers  Jens  Hermans,  Frederik 
Vercauteren  and  Bart  Preneel— we  should 
pay  attention  because  RSA  and  ECC  will 
soon  be  useless. 

Here’s  a  link  to  download  the  NIST 
report  “Quantum  Resistant  Public  Key 
Cryptography”  by  Ray  Perlner  and  David 
Cooper:  http://middleware.internet2.edu/ 
idtrust/2009/papers/07-perlner-quantum.pdf 
Quantum  computing  is  real...  and  it’s 
time  to  rethink  crypto. 

—Ed  Adams 


March  2010  www.csoonline.com  9 


cso 


Perspectives 


April  5-7,  2010 

Hyatt  Regency  Santa  Clara 

Santa  Clara,  California 
www.csoonline.com/csoplO 


TOPICS  TO  INCLUDE: 

•  The  Changing  Face  of  Security 

•  Security  Spending 

•  Security  Leadership 

•  Strategic  Planning 

•  Cloud  Security 

•  Fraud  Detection 


YOU’LL  HEAR  FROM  INDUSTRY  EXPERTS  LIKE: 

•  ED  BELLIS,  Vice  President  and  CISO,  Orbitz 

•  ERIC  COWPERTHWAITE,  CSO,  Providence  Health 
and  Services 

•  JEFF  DIPRIMIO,  Global  Security  Operations  Manager, 
Genzyme 

•  BHAVESH  PATEL,  Senior  Director,  Global  Risk  and 
Business  Operations,  Genzyme 

•  JIM  REAVIS,  Co-Founder,  Cloud  Security  Alliance 

•  JONATHAN  RICHARDSON,  Partner,  Black  Swan  Group 

•  MICHAEL  THEIS,  Executive  Director  of  Insider  Threat 
Management  Strategies,  Raytheon 


TO  REGISTER  VISIT: 


www.csoonline.com/csoplO,  call  800-366-0246 
or  email  executiveprograms@cxo.com 


Produced  by: 


CSO 


i 


UNDERWRITER 


GOLD  SPONSORS 


SILVER  SPONSORS 


TREND 

M  I  C  R  0‘ 


SECURITY  TECHNOLOGIES 


ACTIV  ©  ENTITY' 


EMERGING 

SOLUTIONS 

SPONSOR 


The  Security  Division  of  EMC 


o  beyondtrust 

privilege,  mode  simple 


Envision 


Vefl70nbusiness 


“Jailbreaking  wipes  away  80  percent  of  the  iPhone's  security  controls page  14 


Edited  by  Bill  Brenner 


DDoS  Takes 
Aim  at  Layer  7 

Report  shows  more  tools  are 
exploiting  the  application  layer 
to  maximize  the  impact  of  attacks. 
Here’s  what  you  can  do  about  it. 

A  report  from  the  Cyber  Security  Forum 
Initiative  (CSFI)  offers  further  evidence 
that  botnet  herders  are  getting  a  bigger 
bang  for  their  distributed  denial-of-ser- 
vice  (DDoS)  attack  buck  by  targeting  security 
holes  at  layer  7  of  the  Open  System  Intercon¬ 
nection  network  model,  more  commonly 
known  as  the  application  layer. 

A  paper  on  the  findings,  “L7DA  [Layer  7 
DoS  Attack]  Report  vl.O,"  was  passed  along  to 
CSOonline.com  by  Paul  de  Souza,  a  Chicago- 
based  security  analyst  and  founder  of  CSFI,  a 
group  of  IT  security  practitioners  who  volun¬ 
teer  their  guidance  and  support  to  companies 
that  have  suffered  cyber  attacks. 

The  findings  stem  from  an  investiga¬ 
tion  conducted  by  11  volunteers  from  the  IT 
security  community.  According  to  the  paper, 
CSFI  was  contacted  by  a  company  that  claimed 
to  be  experiencing  a  new  layer  7  DDoS  attack. 
CSOonline.com  has  omitted  the  names  of  the 
companies  and  agencies  involved  because 
much  of  the  information  is 
confidential. 

“The  attack  has  been  found 
in  the  wild  and  [was]  possibly 
created  by  Chinese  hackers,”  the 
paper  states.  “It  is  said  to  have 
been  deployed  to  Chinese-owned 
botnets  at  this  time.  According  to  our  source, 
this  new  L7DA  targets  IIS  [Internet  Information 
Services]  and  Apache  servers.” 

The  attack  exploits  a  design  element 


used  by  both  IIS  and  Apache  applications 
and  is  effective  enough  to  crash  the  targeted 
servers  within  minutes.  “This  type  of  attack 
would  focus  on  the  HTTP  Post  method  of  the 
IIS  and  Apache  applications.  This  variation  of 
L7DA  was  claimed  to  have  been  discovered  by 
our  source  in  Singapore  where  their  Beijing, 
China  branch  collected  intelligence  about 
Chinese  hackers  implementing  a  new 

Layer  7  DDOS  attack,”  the  paper 
continued. 

The  SysAdmin,  Audit, 
Network,  Security  (SANS) 
Institute’s  Internet  Storm  Center 
site,  which  is  cited  in  the  paper, 
explains  the  method  of  the 
attack  this  way:  “The  tool  works  by  exhaust¬ 
ing  Apache  processes;  this  is  done  by  sending 
incomplete  request  headers  so  Apache  keeps 
waiting  for  the  final  header  line  to  arrive,  the 


tool  instead  just  sends  a  bogus  header  to  keep 
the  connection  open.  Besides  Apache  (both 
versions  1.x  and  2.x),  Squid  is  also  affected. 
Knowing  how  many  servers  running  on  Apache 
there  are,  this  makes  the  tool  very  dangerous 
since  it  doesn’t  require  absolutely  any  knowl¬ 
edge  from  the  attacker-all  he/she  has  to  do  is 
run  the  tool  and  the  target  site  goes  down.” 

The  attacks  are  also  being  enabled  by 
a  hacker  tool  one  hacker  site  described  as 
a  “low-bandwidth  yet  greedy  and  poison¬ 
ous  HTTP  client”  that  “essentially  keeps  an 
HTTP  session  alive  indefinitely  (or  as  long 
as  possible)”  and  repeats  the  incomplete 
request  process  hundreds  of  times,  leading  to 
a  sustained  DDoS. 

At  the  request  of  CSFI,  the  name  of  the 
attack  tool  in  question  is  not  mentioned  here. 

The  CSFI  team  tested  the  tool  in  question 
and  was  able  to  “kill”  an  Apache  2  patched 


Photo  by istockphoto 


March  2010  www.csoonline.com  11 


>>  BRIEFING 


CISO  and  security 
consultant  James  Arlen 


Ubuntu  9.10  server  in  less  than  20 
minutes,  including  a  test  run  that  took 
15  minutes. 

According  to  CSFI’s  code  review, 
the  program  has  a  default  time-out  of 
5  seconds  and  includes  code  that  will 
try  to  figure  out  the  target  connection’s 
time-out.  If  target’s  time-out  is  too  low, 
the  paper  states,  the  script  does  not 
function  and  bails  out. 

That  botnets  are  being  loaded 
with  layer  7  DDoS  capabilities  is  not  a 
surprise  to  CSFI  member  and  Northrop 
Grumman  Senior  Security  Analyst 
Emily  Watts-Darraj.  In  an  e-mail 
exchange,  she  said  the  important  thing 
is  to  start  developing  countermeasures. 

One  possible  defense,  according 
to  the  “L7DA”  report,  is  to  “create  a 
process  that  watches  the  connections 
table  or  system  resources,  which 
can  detect  the  system  becoming 
overloaded.  The  server  would  then 
automatically  change  its  connections 
timeout  to  a  smaller  window  to  reduce 
the  load.” 

Another  approach  proposed  in 
the  paper  would  be  to  put  a  device  in 
front  of  the  Web  server  that  accepts 
the  connections  on  behalf  of  the  server 
and  creates  a  connections  table.  “Then 
based  on  set  values,  it  will  adjust  the 
timeout  and  kill  connections  that  exist 
when  the  timeout  value  is  adjusted.” 

In  the  recent  CSOonline.com  article 
“DDoS  Attacks  Are  Back  (and  Bigger 
Than  Before)”  (www.csoonline.com/ 
article/515614),  experts  noted  that 
DDoS  attacks  have  grown  more  fero¬ 
cious  in  recent  years  because  attackers 
have  a  seemingly  bottomless  reservoir 
of  resources  to  draw  from-most  criti¬ 
cally,  botnets  with  millions  of  hijacked 
machines  that  can  be  used  to  launch 
assaults. 

“We  see  a  lot  less  of  the  fire-and- 
forget  malware-based  attacks  designed 
to  bog  down  the  machines  that  were 
infected,”  Akamai  Technologies  CSO 
Andy  Ellis  said,  referring  to  old-school 
worm  attacks  like  Blaster,  Mydoom  and 
Code  Red.  “Now  the  malware  is  used 
to  hijack  machines  for  botnets  and  the 
botnets  themselves  are  used  as  the 
weapon.” 

-Bill  Brenner 


It’s  a  common  observation  among  IT  security 
practitioners  lately:  Companies  are  so 
obsessed  with  getting  through  a  compli¬ 
ance  checklist  that  security  technology  is 
implemented  haphazardly,  in  ways  that  actually 
increase  a  company’s  risk.  At  the  recent  Shmoo- 
Con  security  conference  in  Washington,  D.C.,  CSO 
Senior  Editor  Bill  Brenner  asked  Ontario-based 
CISO  and  security  consultant  James  Arlen  what 
examples  of  this  problem  he’s  seen,  and  what-if 
anything-can  be  done  about  it. 

There  are  a  lot  of  tech-heavy  talks  going 
on  at  ShmooCon  this  year.  As  a  CISO,  what 
are  your  biggest  technological  concerns? 

James  Arlen:  We  need  to  focus  more  on  the 
quality  of  security  technology  implementation. 
It’s  no  longer  enough  just  to  buy  the  thing,  to 
have  that  technological  doodad.  When  you  get 
through  all  your  PCI  security  check  marks  and 
your  SAS70  [Statement  on  Auditing  Standards 
No.  70]  requirements,  that’s  great,  but  are  you 
getting  the  value  you’re  supposed  to  be  getting? 

And  you  don’t  see  that  happening?  In  a  lot 
of  cases  there’s  no  way  to  get  that  value  because 
of  the  implementation.  You  buy  it,  you  turn  it  on, 
the  red  light  is  blinking  and  it’s  making  the  peep¬ 
ing  sound,  but  it’s  not  doing  anything  for  you. 
You’re  not  getting  any  risk  reduction.  You’re  not 
increasing  your  situational  awareness.  We  need 
to  find  a  way  to  get  better  at  that  stuff  faster. 

Give  an  example  of  where  you’ve  seen 
this  problem.  In  my  long,  sordid  history  as  a 


security  consultant,  l  see  it  all  the  time.  You’d 
see  these  firewalls  implemented  with  hugely 
long  rule  sets,  but  then  you  go  down  to  the 
bottom  and  discover  that  somebody  slipped  in 
exceptions  because  it  would  make  testing  easier 
or  allow  them  to  get  something  into  production 
faster.  So  it’s  an  example  of  taking  all  this  hard 
work  you’ve  done  and  undoing  it  in  the  name  of 
expediency. 

The  flip  side  of  that  is  that,  in  being  a  security 
operational  person,  you  go  out  and  get  the  tool, 
and  you  train  one  or  more  people  to  use  it,  and 
because  the  security  industry  is  as  fast  paced  as 
it  is— “fast  paced"  being  another  way  of  saying 
“high  turnover”-you  end  up  in  a  situation  where 
three  to  six  months  down  the  line  you  don’t 
have  that  practitioner  excellence  and  you  have 
a  tool  that  has  essentially  been  shelved  because 
there’s  no  one  who  knows  how  to  use  it. 

Is  that  something  that  can  be  remedied 
by  training  a  wider  group  of  people  in  the 
IT  shop?  The  cost  of  training,  when  you’re  not 
in  implementation  phase,  isn’t  something  that 
you  can  throw  into  the  capital  budget.  It  has  to 
come  from  your  daily  operational  budget,  and 
you  don’t  have  the  money  for  it.  You  can’t  afford 
to  send  someone  to  San  Jose  for  training  for  two 
weeks  to  get  really  good  at  it,  and  you’re  back 
at  that  point  where  you’re  hoping  you  can  hire  a 
capability  when  you  really  want  to  hire  a  person 
who  has  a  capability.  So  you  end  up  back  into 
this  hire-and-fire  mind-set  that  does  absolutely 
nothing  for  organizational  security.  You  end 
up  with  this  awesome  hammer  and  this  huge 
number  of  nails  that  need  to  be  whacked,  and 
nobody’s  sure  which  end  to  hit  the  nail  with. 

That  sentiment  came  out  in  a  survey 
CSOonline.com  did  recently  in  partnership 
with  consultancy  Deloitte  and  Touche, 
the  Secret  Service,  and  Carnegie  Mellon 
University’s  Computer  Emergency  Response 
Team  (CERT).  Companies  spend  millions  to 
bolster  IT  security,  but  some  wonder  if  it’s 
worth  it.  It  goes  back  to  this  idea  I’ve  been 
trying  to  get  people  to  understand  for  years 
now:  You  don’t  need  to  be  compliant,  you  need 
to  be  meta-compliant.  You  don’t  want  to  be 
compliant  with  specific  regimes.  You  want  to  be 
compliant  with  a  superset  of  all  those  regimes. 
The  only  way  to  get  there  is  to  essentially  have 
an  enlightened  desire  to  do  the  right  thing.  The 
security  spend  is  tied  tightly  to  quarterly  results 
and  shareholder  value  because,  ultimately, 
security  spend  is  just  another  kind  of  insurance 
spend. 

-Bill  Brenner 


12  www.csoonline.com  March  2010 


GOOD  FORTUNE 

Can  Be  Yours 


Career  advancement 
awaits  you. 


BREAK  INTO  IT. 

Register  for  an  ISACA  certification  exam. 


Exam  Date:  12  June  2010 

Registration  Deadline:  7  April  2010 


^iSACA 

Trust  in,  and  value  from,  information  systems 


www.  isaca.  org/csomag 


Introducing  ISACA 's  newest  certification: 


Certified  in  Risk 
and  Information 
Systems  Control' 

An  ISACA* Certification 


CISA  CISM  <CGB£ 


Certified  Information  Systems  Auditor™ 


CERTIFIED  INFORMATION 
SECURITY  MANAGER* 


Certified  inthe  Governance 
of  Enterprise  IT® 


Grandfathering  begins  1  April  2010. 


>>  BRIEFING 


MOBILE  DEVICE  SECURITY 

Why  Your  Smartphone  Is  Stupid  Easy  to  Hack 

Researchers  uncover  simple  ways  bad  guys  can  use  your  phone  against  you 


e’ve  heard  a  lot  about  how  our  PCs  and  laptops  can  be 
compromised  through  malware  and  insecure  wireless 
access  points,  but  we’ve  often  comforted  ourselves  with 
the  knowledge  that  our  smartphones  are  safe  from  such 

things. 

But  the  smarter  these  phones  become,  the  more  susceptible 
they  are  to  those  same  dangers,  as  well  as  others.  That  was  the 
warning  Trevor  Hawthorn,  a  founder  and  managing  principal  at 
Stratum  Security,  issued  last  month  at  ShmooCon  2010. 

“The  old  smartphone  wisdom  in  terms  of  security  best  prac¬ 
tices  was  that  you  simply  needed  to  wipe  the  devices  of  all  your 
data  before  selling  them  on  eBay,"  he  said.  “Today,  you  can  use 
them  to  access  the  company  VPN  and  Outlook,  so  the  dangers  are 
much  more  in  line  with  those  of  PCs  and  laptops." 

Hawthorn  discussed  security  holes-they've  since  been 
fixed-that  were  found  in  AT&T’s  network,  which  Apple’s  iPhone 
uses,  and  how  an  epidemic  of  “jailbreaking”  is  disabling  critical 
security  controls  on  the  device. 


Jailbreaking  is  the  process  of  unlocking  an  iPhone  or  iPod 
Touch  to  run  whatever  code  users  want,  whether  it’s  authorized 
by  Apple  or  not.  They  can  then  download  a  variety  of  apps  they 
can’t  get  in  the  Apple  App  Store. 

For  those  who  hate  Apple’s  heavy  hand  and  welcome  any 
method  of  thumbing  their  nose  at  the  company’s  decrees,  jail¬ 
breaking  is  very  attractive.  But  there’s  a  problem,  Hawthorn  said. 
A  big  one. 

“Jailbreaking  wipes  away  80  percent  of  the  iPhone’s  security 
controls,”  he  said.  “Since  nearly  seven  percent  of  all  iPhones  are 
jailbroken,”  the  bad  guys  have  plenty  of  devices  to  target. 

And  target  they  have. 

Exhibit  A  is  the  iKee  worm.  According  to  an  earlier  analysis 
from  security  vendor  Sophos,  Apple  iPhone  owners  in  Australia 
were  infected  by  a  worm  that  changed  their  wallpaper  to  an 
image  of  1980s  pop  crooner  Rick  Astley.  “The  worm,  which  could 
have  spread  to  other  countries  although  we  have  no  confirmed 
reports  outside  Australia,  is  capable  of  breaking  into  jailbroken 
iPhones  if  their  owners  have  not  changed  the  default  password 
after  installing  SSH,”  Sophos  Senior  Security  Consultant  Graham 
Cluley  wrote.  “Once  in  place,  the  worm  appears  to  attempt  to  find 
other  iPhones  on  the  mobile  phone  network  that  are  similarly 
vulnerable,  and  installs  itself  again.  On  each  installation,  the 
worm-written  by  a  hacker  calling  themselves  ‘ikex’-changes  the 
lock  background  wallpaper  to  an  image  of  Rick  Astley  with  the 
message:  ‘iKee  is  never  going  to  give  you  up.’” 

This  hack  may  seem  harmless,  but  Hawthorn  noted  that  such 
malware  can  easily  be  adapted  to  more  sinister  ends,  such  as  the 
theft  of  sensitive  data. 

It’s  also  worrisome  that  the  bad  guys  could  use  the  advanced 
map  and  GPS  software  on  these  devices  to  see  exactly  where  a 
person  is  and  where  they  are  going.  From  there,  a  cyber  threat 
becomes  a  physical  one.  [Related  ShmooCon  story:  “Inside  Farm- 
Ville’s  Sinister  Underbelly,"  next  page.] 

One  way  bad  guys  can  target  a  phone  user  is  through  a  game 
called  “Underworld:  SweetDeal,”  a  free  location-based  iPhone 
multiplayer  online  game  about  trading  controlled  substances  in 
the  real  world. 

Hawthorn  noted  that  players  can  use  Google  Maps  to  locate 
other  players.  In  the  course  of  his  research,  he  found  players  in 
some  interesting  places.  He  was  able  to  track  two  different  play¬ 
ers  to  parking  lots  outside  NSA  and  CIA  headquarters. 

“You  can  check  a  person’s  movements  because  the  game 
checks  in  on  your  device’s  location  regularly,”  he  said. 

His  advice  in  this  dangerous  new  world? 

For  one  thing,  be  careful  with  games  like  these  and  under¬ 
stand  that  you’re  opening  yourself  up  to  danger,  including  physi¬ 
cal  abduction. 

As  for  the  threats  that  arise  from  jailbreaking?  The  solution  is 
a  lot  simpler:  Just  don’t  do  it,  he  said.  -B.B. 


14 


Photo  top  right  by  istockphoto 


Security 

Wisdom 

Watch 


Technology  Edition 


Thumbs  Both  Ways: 

BlackBerry:  The  smart¬ 
phone  most  used  for 
business  is  easy  to 
hack,  according  to 
researchers. 

Thumbs  Both  Ways: 

iPhone:  Apple  may  like 
to  boast  that  it’s  more 
secure  than  Micro¬ 
soft,  but  researchers 
at  the  recent  Shmoo- 
Con  conference 
proved  that  it’s  just  as 
easy  to  target  the  iPhone  as  it 
is  to  target  other  devices.  Tip: 
Use  the  GPS  feature  sparingly. 

Thumbs  Down:  P2P: 
Peer-to-peer  networks 
may  be  a  useful  way  to 
communicate  over 
long  distances,  but  when 
employees  start  using  them 
to  exchange  sensitive  data,  a 
security  threat  is  born. 

Thumbs  Down:  Facebook 
Apps:  Hackers  are 
having  little  trouble 
hijacking  popular  apps 
like  FarmVille  and  Mafia 
Wars.  Since  employees  have  a 
habit  of  playing  these  things 
on  company  machines  during 
company  time,  it’s  now  an 
enterprise  IT  problem. 

Thumbs  Up:  Linkedln: 

Sure,  the  business- 
oriented  social 
networking  platform  has 
its  own  security  problems, 
but  researchers  are  finding 
it  harder  to  hack  than  other 
social  networking  sites. 

-B.B. 


SOCIAL  NETWORKING 

FarmVi  lie’s 
Dark  Underbelly 

You  love  Facebook  apps  and  think  they’re 
perfectly  safe,  right?  Think  again. 

You  see  it  all  the  time  on  Facebook:  A  friend  moving  on  up  in  FarmVille.  Another  friend  trying 
to  expand  his  posse  in  Mafia  Wars.  Everyone  thinks  of  them  as  harmless  third-party  appli¬ 
cations,  free  from  the  crooks  and  cons  of  cyberspace. 

Unfortunately,  that’s  not  the  case. 

The  sad  fact  is  that  these  applications  are  susceptible  to  malware  pushers  and  those  looking 
to  steal  your  personal  information.  It’s  not  much  of  a  stretch  for  hackers  to  impersonate  people 
you  think  are  trusted  fellow  players,  just  like  in  other  online  games.  And  the  more  you  expose 
yourself,  the  bigger  a  target  you  become. 

The  dangers  of  these  games  were  part  of  a  larger  talk  on  social  networking  dangers  at  the 
2010  ShmooCon  security  conference.  Indeed,  danger  to  social  networkers  comes  from  all  direc¬ 
tions,  be  it  malicious  Twitter  bots  disguised  as  celebrities  following  you  or  phishers  who  hook 
you  with  a  profile  picture  of  a  hot  model  to  get  you  to  friend  them  back  on  Facebook.  In  their  talk 
“Social  Zombies  II:  Your  Friends  Need  More  Brains,”  security  practitioners  Tom  Eston,  Kevin  John¬ 
son  and  Robin  Wood  presented  new  techniques  and  tools  used  to  exploit  people  on  these  social 
networks.  “Facebook  has  350  million  users  with  12  million  logging  in  daily.  Twitter  is  getting  6.2 
million  new  users  a  month.  The  target  base  keeps  growing,”  said  Eston,  a  penetration  tester  for  a 
Fortune  500  financial  services  organization. 

In  one  of  their  more  colorful  examples,  the  trio  asserted  that  actress  Jessica  Biel  is  the  most 
dangerous  woman  on  the  Internet  because  of  all  the  fake  profiles  using  her  name  and  image  that 
are  scattered  throughout  the  social  networking  landscape. 

People  on  Twitter  are  easily  duped  into  thinking  Biel  is  following  them.  On  Facebook,  folks 
proudly  count  her  among  their  friends,  not  realizing  the  page  is  really  under  the  control  of  an  ill- 
intentioned  operator  who  wants  them  to  click  on  malicious  links  on  the  page. 

Then  there’s  Blippy,  a  social  network  billed  as  a  “fun  and  easy  way  to  see  and  discuss  the 
things  people  are  buying.”  The  presenters  noted  that  penetration  testers  absolutely  love  this 
platform  because  of  the  naked  insight  it  offers  into  the  spending  habits  of  individuals.  While  it’s 
becoming  increasingly  difficult  for  people  to  turn  away  from  social  networking,  there  are  ways  to 
protect  yourself,  the  presenters  noted.  For  one  thing,  you  can  avoid  Facebook  and  Twitter  pages 
purporting  to  be  those  of  famous  people.  A  good  way  to  tell  if  a  Twitter  account  is  really  a  front  for 
a  malicious  bot  is  to  look  at  its  follower/following  ratio.  If  they’re  being  followed  by  50  people  but 
are  following  over  a  thousand,  that’s  a  pretty  good  indication  that  something  stinks.  And,  the  pre¬ 
senters  noted,  if  you  must  use  apps  to  get  around  and  find  the  shops  you’re  looking  for,  remember 
that  the  information  you  allow  the  app  access  to  can  be  enough  for  someone  evil  to  track  your 
specific  whereabouts  and  come  after  you.  -B.B. 


March  2010  www.csoonline.com  IS 


■LU 

.  _  — rfn 


V  j*  2010  Trend  Micro  Inc.  All  rights  reserved.  Trend  Micro  and  the  t-ball  logo  are  trademarks  or  registered  trademarks  of  Trend  Micro  Inc.  All  other  comp 
v .  trademarks  of  their  owpers.  -Gartner  Information  Security  Summit,  "Securing  Virtualization,  Virtualizing  Security",  Neil  MacDonald,  July  2009  **Gartner1ffl 


0%  OF  PRODUCTION  VIRTUAL  MACHINES 

ARE  LESS  SECURE  THAN  THEIR  PHYSICAL  COUNTERPARTS! 


THINK  CONVENTIONAL  SECURITY  CAN  PROTECT  YOUR  VIRTUAL  ENVIRONMENT? 


THINK  AGAIN. 

Enterprises  around  the  world  are  relying  on  virtualization  to 
increase  datacenter  efficiency  and,  unknowingly,  leaving 
themselves  more  vulnerable.  That's  because  conventional 
security  isn't  able  to  protect  virtual  machines  or  see  the  traffic 
between  them  -  leaving  data  and  networks  exposed.  Which 
is  why,  according  to  Gartner,  Inc.,  in  2009  sixty  percent  of  virtual 
machines  were  less  secure  than  their  physical  counterparts. 
But  with  Trend  Micro™  Enterprise  Security,  powered  by  the 
Trend  Micro™  Smart  Protection  Network™  infrastructure,  you 
can  mitigate  the  risk  and  maximize  the  benefits  of  virtualization. 
It’s  a  different  kind  of  security  that  protects  your  physical  and 
virtualized  environments  and  helps  set  the  foundation  for  your 
company  to  move  confidently  into  the  cloud. 

►  Learn  how  to  protect  your  virtualized  datacenter.  Download 
the  Trend  Micro  eBook  at  trendmicro.com/thinkagain 


TREND 

MICRO 

Securing  Your  Web  World 


>>  BRIEFING 


CYBERCRIME 

NEW  RUSSIAN  BOTNET 
TRIES  TO  KILL  RIVAL 


An  upstart  Trojan  horse  program  has 

decided  to  take  on  its  much-larger  rival  by 
stealing  data  and  then  removing  the  com¬ 
peting  malicious  program  from  infected 
computers. 

Security  researchers  say  that  the  relatively 
unknown  Spy  Eye  toolkit  added  this  functionality 
just  a  few  days  ago  in  a  bid  to  displace  its  larger 
rival,  known  as  Zeus. 

The  feature,  called  “Kill  Zeus,”  apparently 
removes  the  Zeus  software  from  the  victim’s  PC, 
giving  Spy  Eye  exclusive  access  to  user  names 
and  passwords. 

Zeus  and  Spy  Eye  are  both  Trojan-making 
toolkits,  designed  to  give  criminals  an  easy 
way  to  set  up  their  own  botnet  networks  of 
password-stealing  programs.  These  programs 
emerged  as  a  major  problem  in  2009,  with 
the  FBI  estimating  last  October  that  they  have 
caused  $100  million  in  losses. 

Trojans  such  as  Zeus  and  Spy  Eye  steal  online 
banking  credentials.  This  information  is  then 
used  to  empty  bank  accounts  by  transferring 
funds  to  so-called  money  mules-U.S.  residents 
with  bank  accounts-who  then  move  the  cash  out 
of  the  country. 

A  number  of  similar  Trojans  have  emerged 
recently,  including  Filon,  Clod  and  Bugat,  which 
was  discovered  just  two  months  ago. 


Spy  Eye  popped  up  in  Russian  cybercrime 
forums  in  December,  according  to  Symantec 
Senior  Research  Manager  Ben  Greenbaum. 

With  its  “Kill  Zeus”  option,  Spy  Eye  is  more 
aggressive  than  other  crimeware.  The  software 
can  also  steal  data  as  it  is  transferred  back  to  a 
Zeus  command-and-control  server,  said  Kevin 
Stevens,  a  researcher  with  SecureWorks.  “This 
author  knows  that  Zeus  has  a  pretty  good  mar¬ 
ket  and  he’s  looking  to  cut  in,”  he  said. 

Turf  wars  among  cybercriminals  are  nothing 
new.  Two  years  ago,  a  malicious  program  called 
Storm  Worm  began  attacking  servers  controlled 
by  a  rival  known  as  Srizbi.  And  a  few  years 
before  that,  the  authors  of  the  Netsky  worm 
programmed  their  software  to  remove  rival 
programs  Bagle  and  MyDoom. 

Spy  Eye  sells  for  about  $500  on  the  black 
market,  about  one-fifth  the  price  of  premium 
versions  of  Zeus.  It  has  not  yet  been  spotted  on 
very  many  PCs,  however. 

Still,  the  Trojan  is  being  developed  quickly 
and  has  a  growing  list  of  features,  Greenbaum 
said.  It  can,  for  example,  steal  cached  password 
information  that  is  automatically  filled  in  by  the 
browser  and  back  itself  up  via  e-mail.  “This  is 
interesting  in  its  potential,  but  it’s  not  currently 
a  widespread  threat  at  all,”  he  said. 

-Robert  McMillan 


Verbatim...  “You  think  it’snofyour 

responsibility  to  speak  the 

Shots  heard  round  the  language  of  your  bosses  when 

security  world  communicatingthe  company's 

security  needs?  Well,  that’s  why 
you’re  not  the  boss,  idiot.” 

“So  what  I  CISO  James  Ar|en,  during  a  podcasting  event 

wonder  is  What  is  it  that  at  shmooCon- when  someone  suggested 

lets  people  buy  lottery  tickets  ifs  not  his  job  to  articulate  threats 

because  ‘somebody’s  gotta  win,’  ln  a  language  his  managers 

yet  often  reject  security  or  safety  can  understand 

measures  even  though,  by  the  same 
argument,  ‘somebody’s  gotta  lose’?” 

-Pete  Herzogon  the  security 
metrics  mailing  list 


“The  mistake  we 
made  was  markingthis 
bug  for ‘next’  release, 
instead  of  marking  it  for 
the  next  Flash  Player  10 
security  dot  release.” 

-Emmy  Huang,  product  manager 
for  Flash  Player,  on  why  a  gaping 
security  hole  in  Flash  was 
allowed  to  go  unpatched 
for  more  than  a  year 


S®  www.csoonline.com  March  2010 


PRIVACY 


2010  COMPASS 
AWARDS 

CSO  magazine 
congratulates 
the  following 
winners  of  the 
2010  Compass 
Award  forgoing 
above  and  beyond 
the  call  of  duty 
in  advancing  the 
security  profession: 

Bruce  Schneier, 

Chief  Technology 
Security  Officer,  BT 

Erin  Jacobs, 

CSO,  United 
Collection  Bureau 

Richard 

Gunthner,  VP  of 

Global  Security, 
MasterCard 

Alan  Nutes, 

Security  Manager, 
City  of  Atlanta 
Dept,  of  Watershed 
Management 

Leslie  Lambert, 
CISO,  Sun 
Microsystems 

Roland  Cloutier, 

VP  and  CSO 
at  ADP?? 


P2P  Snoopers  Know 
What’s  In  Your  Wallet 

People  send  their  most  sensitive  personal  information  out 
over  P2P  networks,  and  the  bad  guys  are  watching 


Being  security  researchers  and  all,  Larry 
Pesce  and  Mick  Douglas  of  pauldotcom 
.com  thought  it  would  be  a  hoot  to  take  a 
look  at  some  of  the  information  people 
send  out  over  peer-to-peer  (P2P)  networks.  They 
were  taken  aback  by  what  they  found. 

At  the  2010  ShmooCon  security  conference, 
the  duo  showed  off  the  extremely  sensitive  infor¬ 
mation  they’ve  been  able  to  intercept,  including 
driver’s  licenses  and  passports,  tax  return  forms 
with  Social  Security  numbers,  someone’s  last 
will  and  testament,  and  information  on  one 
man’s  secret  activities  that  could  potentially 
cause  him  to  be  targeted  by  terrorists. 

Douglas  and  Pesce  were  inspired  to  look  at 
P2P  networks  after  highly  publicized  incidents 
where  details  of  a  Secret  Service  safe  house  for 
the  first  family  leaked  out  on  LimeWire,  a  file¬ 
sharing  network.  In  another  incident,  classified 
information  about  Marine  One’s  communica¬ 
tions,  navigation  and  management  systems 
were  found  in  a  publicly  available  shared  folder 
on  a  computer  in  Tehran,  Iran,  after  apparently 
being  leaked  over  a  P2P  network. 

As  part  of  the  experiment,  the  duo  used  such 
search  terms  as  word,  doctor,  health,  passwd, 
password,  lease,  license,  passport  and  visa.  File 
names  used  included  password.txt,  TaxReturn 
.pdf,  passport.jpg,  visa.jpg,  license.jpg,  signons2 
.txt,  and  signons3.txt.  They  also  hunted  for  mate¬ 
rial  containing  the  file  extensions  .pst,  .cfg,  .pcf, 


.doc,  .docx,  .xls,  .xlsx,  .pdf,  .tax,  .qdb,  .qmd,  .qsd, 
.qtx,  .idx,  .qif,  .mny,  .ofx,  .ofc  and  .txt. 

Pesce  described  the  findings  as  a  lesson  in 
stupidity  and  compared  the  act  of  stealing  iden¬ 
tities  through  P2P  to  clubbing  baby  seals. 

Along  with  the  typical  malware  samples, 
music  and  porn,  the  researchers  unearthed  such 
personal  information  as: 

■  A  2008  Cheerleading  World’s  event  schedule, 
complete  with  the  cheerleaders’  names, 
flight  and  bus  schedules,  hotel  room  loca¬ 
tions  and  performance  dates  and  locations. 

■  A  retirement  analysis  form  that  included  the 
prospective  retiree’s  savings  account  total  up 
to  that  point  and  estimates  on  what  he/she 
would  have  to  take  in  for  income. 

■  A  form  from  the  Internal  Revenue  Service 
with  someone’s  taxpayer  identification  num¬ 
ber  printed  across  the  bottom. 

■  A  completed  TurboTax  form  with  all  the 
taxpayer’s  personal  information. 

■  A  letter  of  recommendation  for  a  student 
who  wanted  to  help  U.S.  forces  in  Iraq  that 
included  this  sensitive  detail:  “[Person’s 
name]  is  forced  to  live  a  secret  life  that  he 
must  hide  from  family  and  friends  to  protect 
them,  as  well  as  himself,  from  torture  and 
certain  death  at  the  hands  of  terrorists.” 

A  terrorist  could  easily  crack  the  same  P2P 
traffic  Pesce  did.  “This  could  absolutely  get  him 
killed,”  he  said. 

To  help  other  security  specialists  conduct 
the  same  research,  and  to  help  organizations 
tighten  up  the  flow  of  information  they  share 
over  P2P,  Pesce  and  Douglas  started  what  they 
call  the  Cactus  Project.  The  project  names  best- 
of-breed  tools  for  conducting  similar  research, 
including  Mutella  and  the  Gnutella  Protocol. 

As  for  the  takeaways,  the  researchers  said 
it’s  clear  that  security  education  hasn’t  reached 
the  “unwashed  masses”  and  that  it’s  still  too 
easy  to  put  sensitive  data  on  P2P  networks. 

“We  have  to  keep  trying  to  educate  people," 
but  this  kind  of  research  can  help  security  prac¬ 
titioners  take  steps  to  better  protect  their  own 
organizations  going  forward,  Douglas  said. 

-e.8. 


Photo  top  and  right  by  iStockphoto.com 


March  2010  www.csoonline.com  19 


By  Mary  Brandel 


Biometrics  in  the  Real  World 

Biometric  access  control  has  long  struggled  to  provide 
enough  payoff  for  the  pain.  Here  are  the  practical  strengths 
and  weaknesses  of  the  most  common  biometric  tools. 


Biometrics  encompasses  a  vari¬ 
ety  of  methods  for  ensuring 
identity  based  on  physical  or 
behavioral  traits.  Conventional 
identifying  traits  include  fin¬ 
gerprints,  face  topology,  iris  structure,  hand 
geometry,  vein  structure,  voice,  signature 
and  keystroke  recognition.  Emerging  tech¬ 
nologies  analyze  characteristics  such  as  gait, 
odor,  and  ear  shape.  Rather  than  being  used 
in  isolation,  biometrics  systems  are  increas¬ 
ingly  becoming  multimodal,  an  approach 
that  both  to  increase  security  and  overcome 
failure-to-enroll  problems. 

In  order  for  the  systems  to  work,  users 
first  have  to  be  enrolled  and  their  informa¬ 
tion  must  be  recorded  in  a  database.  From 
there,  they  use  either  a  verification  or  iden¬ 
tification  approach.  With  verification,  the 
system  confirms  that  a  person  is  who  he 
claims  to  be,  via  a  one-to-one  matching 
model.  Identification,  on  the  other  hand,  is 
more  complex.  It  uses  a  one-to-N  approach, 
matching  the  person’s  biometric  data  to  a 
list  of  users  in  the  database. 

Biometrics  offers  several  advantages 
over  identification  cards  and  passwords  or 
PINs,  namely  the  requirement  that  the  per¬ 
son  being  identified  is  physically  present 
and  the  elimination  of  the  need  to  remem¬ 
ber  codes  or  tokens.  Dan  Miller,  senior  ana¬ 
lyst  and  founder  of  Opus  Research  in  San 
Francisco,  distills  the  benefits  of  biomet¬ 
rics:  Other  systems  rely  on  something  you 

20  www.csoonline.com  March  2010 


know  or  have,  whereas  biometrics  works 
off  something  you  are. 

Key  Applications 

There  are  several  applications  for  which 
biometrics  is  useful,  according  to  Maxine 
Most,  principal  at  Acuity  Market  Intelli¬ 
gence  in  Louisville,  Colo.,  and  she  projects 
that  they’ll  grow  at  varied  rates  between 
2009  and  2017: 

Physical  Access:  Facility  and  secure- 


area  access,  time-and-attendance  moni¬ 
toring.  Growth:  Flat,  starting  at  13  percent 
of  total  market  revenues  and  ending  at  14 
percent. 

Logical  Access:  PC,  networks,  mobile 
devices,  kiosks,  accounts.  Growth:  From 
21  percent  to  31  percent  of  total  market 
revenues. 

Identity  Services:  Background  checks, 
enrollment,  credentialing,  document  issu¬ 
ance.  Growth:  Decline  from  65  percent  to  47 

Illustration  by  Jason  Raisch 


percent  of  total  market  revenues. 

Surveillance  and  Monitoring:  Time 
and  attendance,  watchlists.  Growth:  From 
less  than  l  percent  to  nearly  8  percent  of 
total  market  revenue. 

Market  Drivers 

In  the  public  sector,  worldwide  govern¬ 
ment  mandates  for  integrated  border  man¬ 
agement  systems  are  driving  adoption  of 
biometrics  for  electronic  identification  pro¬ 
grams,  Most  says.  In  the  commercial  mar¬ 
ket,  she  says,  the  main  drivers  will  be  the 
evolution  of  mobile  phones  equipped  with 
near-field  communications,  which  enable 
information  sharing,  service  initiation  and 
payment  and  ticketing  capabilities. 

“This  will  be  a  problem  crying  out  for 
biometrics,”  she  says,  “not  only  to  lock  the 
devices,  but  also  to  authenticate  high-risk  or 
high-value  transactions.”  Tens  of  millions 
of  mobile  devices  are  already  shipping  with 
embedded  biometrics,  she  points  out.  Simi¬ 
larly,  another  driver  may  be  the  healthcare 
industry,  which  may  look  to  biometrically 
protect  electronic  health  records,  she  says. 

According  to  a  recent  survey  by  Unisys 
Corp.,  rampant  growth  of  identity  theft  and 
new  regulations  mandating  increased  pro¬ 
tect  of  personal  identification  information 
are  driving  acceptance  of  biometrics. 

Market  Overview 

Biometrics  have  experienced  setbacks 
over  the  years,  in  the  form  of  inadequately 
planned  deployments,  inherent  limitations 
of  the  technology  and  fears  about  violations 
of  privacy  and  civil  liberties,  Most  says.  But 
she  sees  overall  momentum  in  this  market, 
predicting  global  revenues  for  biometrics 
core  technology  will  reach  nearly  $11  bil¬ 
lion  annually  by  2017,  a  compound  annual 
growth  rate  of  19.69  percent. 

This  will  be  due  in  part  to  significant 
transformations  over  the  next  10  years,  she 
says,  which  will  include  improved  ease 
of  use,  accuracy  and  performance;  lower 
prices  and  increased  reliability  of  capture 
devices;  and  the  embedding  of  capture 
devices  in  everything  from  PDAs,  PCs, 
point-of-sale  terminals  and  ATMs  to  vehi¬ 
cles,  security  gates  and  home  appliances. 

Vendors 

Most  says  that  the  biometrics  industry  has 
historically  been  dominated  by  a  highly 


“Time-and- 
attendance  systems 

absolutely  pay 
for  themselves 

within  a  year,  whether 
it’s  a  small-scale  or 
large  system.” 

-MAXINE  MOST, 
PRINCIPAL  AT  ACUITY 
MARKET  INTELLIGENCE 

fragmented  core  of  vendors  producing  the 
various  technologies  biometrics  requires: 
sensors;  pattern  recognition  and  match¬ 
ing  algorithms;  integrated  devices  (sensors 
plus  algorithms);  and  platform  software. 
Consolidation  is  on  the  rise,  however,  as 
exemplified  by  the  buying  spree  of  L-i 
Identity  Solutions,  which  snapped  up  fin¬ 
ger  scanning  software  vendor  Identix  and 
face  recognition  software  vendor  Viisage 
Systems  (which  had  previously  bought  iris 
recognition  application  vendor  Iridian). 

Until  recently,  the  competitive  focus  has 
been  limited  to  accuracy  and  performance, 
Most  says.  However,  maturing  business 
models  will  evolve  from  product-  to  ser¬ 
vice-based  offerings,  she  says. 

Dos  and  Don’ts 

DO  expect  resistance.  All  biometrics 
systems  require  user  enrollment  and 
credentialing,  which  are  expensive  and 
resource-intensive  processes,  Most  says. 
“There  is  well-founded  resistance  to  the  idea 
of  large,  centralized  repositories  of  personal 
information,”  she  says.  Eventual  solutions 
to  this  problem  may  include  anonymous 
identification,  encrypted  transmission  of 
templates,  and  identity-centric  infrastruc¬ 
tures  with  distributed  storage  models. 

In  some  cases,  resistance  comes  in  the 
form  of  cultural  norms,  says  Ant  Allen, 
an  analyst  at  Gartner.  For  instance,  finger 
scanning  is  not  widely  accepted  in  Japan, 
he  says,  as  people  reject  the  idea  of  physical 
contact  with  the  sensors.  Since  the  coun¬ 
try’s  banks  use  biometric  identification 
extensively  for  ATMs,  many  have  turned 
to  vein  structure  biometrics,  whose  sensors 
do  not  require  contact. 

Privacy  concerns  are  another  reason  for 
resistance,  he  says.  An  example  is  retina- 


and  iris-scanning  systems,  as  these  images 
can  show  symptoms  of  certain  illnesses  that 
people  may  want  to  keep  private,  he  says. 

DON’T  overlook  usability.  System 
usability  is  another  important  factor.  With 
finger-scanning  systems,  there  is  always  a 
segment  of  the  population  that  encounters 
difficulties  with  the  scanners  getting  a  cor¬ 
rect  read  due  to  their  skin  type,  Allen  says. 
“It  may  mean  providing  an  alternative  sys¬ 
tem  for  this  small  group  of  users,  and  that 
might  be  seen  as  discriminatory,”  Allen 
says.  He  recounts  a  client  that  had  to  find 
an  alternative  for  six  users  out  of  2,000  to 
3,000,  as  they  could  not  interact  success¬ 
fully  with  the  scanner.  Reasons  for  enroll¬ 
ment  problems  include  health  conditions, 
racial  characteristics,  disabilities  and  per¬ 
sonal  idiosyncrasies,  Most  says. 

Iris  scanners  seem  to  have  fewer  prob¬ 
lems  with  enrollment,  Allen  says,  but  it’s 
not  always  easy  to  get  a  good  image.  “My 
eyelids  are  quite  heavy,  so  I  physically  have 
to  hold  them  apart  with  my  fingers  to  get  an 
image,”  he  says.  “It  works,  but  it’s  inconve¬ 
nient.”  Face  topography  biometrics  are  also 
easier  for  enrollment,  he  says,  but  they  have 
a  lower  accuracy  rate. 

Vein  structure  biometrics  seem  to  work 
in  a  wide  variety  of  circumstances,  he  says, 
although  they  may  fail  in  extreme  tempera¬ 
tures  or  environments.  “A  vendor  tried  it 
with  coal  miners,  but  the  carbon  from  the 
coal  on  their  fingers  blocked  the  image,”  he 
says.  On  the  other  hand,  these  systems  can 
read  through  medical  gloves,  which  makes 
them  an  intriguing  option  for  healthcare 
applications,  he  says. 

At  Beth  Israel  Deaconess  Medical  Cen¬ 
ter,  Larry  Nathanson,  director  of  emergency 
medicine  informatics,  had  to  test  a  couple 
of  systems  to  find  one  the  ER  doctors  and 
nurses  were  comfortable  with. 

Nathanson  was  looking  for  a  finger¬ 
scanning  system  for  the  tablet  computers 
that  are  increasingly  used  in  Beth  Israel’s 
ER.  Because  Nathanson  wanted  a  strong 
password  system— with  a  combination  of 
numbers,  symbols  and  uppercase  charac¬ 
ters— it  was  too  cumbersome  to  enter  the 
passwords  into  the  tablets,  which  use  on¬ 
screen  keyboards.  “By  the  time  they  got 
done,  they  could  have  walked  back  to  their 
desk  and  done  what  they  needed  to  do,”  he 
says.  “It  was  a  huge  barrier.” 

He  tested  one  finger  scanning  system, 


March  2010  www.csoonline.com  21 


>>  TOOLBOX 


Biometrics  Techii 


but  because  of  its  architecture,  it  offered 
only  “mild  benefits,”  he  says.  When  a  user 
swiped  his  finger,  the  system  would  go  into 
“identification”  mode,  checking  the  print 
against  the  back-end  database  on  a  one-to-N 
basis.  When  finished,  it  would  tell  the  client 
to  unencrypt  the  user  name  and  password 
and  plug  them  into  the  Web  application. 
Thereafter,  it  operated  in  “verify,”  or  one- 
to-one  mode,  so  when  another  ER  staffer 
picked  up  the  tablet  and  swiped  his  finger,  it 
would  first  try  to  verify  if  this  was  the  same 
user  as  before.  Because  it  wasn’t,  it  added 
additional  steps.  The  catch:  It  could  take  30 
to  60  seconds  to  complete  the  log-in,  which 
was  no  faster  than  entering  a  password. 

He  eventually  found  a  workable  system 
from  BioKey,  which  is  based  on  a  thin-client 
architecture,  with  the  bulk  of  identifica¬ 
tion  happening  on  the  server  side.  “With 
BioKey,  you’re  just  swiping  your  finger,  and 
the  server  does  the  work  on  the  biometric, 
eliminating  the  password,”  he  says.  “It’s 
faster  and  more  secure.” 

DO  consider  no-touch  and  “do  nothing’’ 
technology.  According  to  Most,  contact¬ 
less  and  passive  biometrics  systems  (such 
as  face  and  iris)  will  gain  significant  trac¬ 
tion  because  they  require  less  of  the  user 
and  pose  fewer  hygiene  problems.  “Bio¬ 
metric  authentication  that  does  not  require 
the  user  to  do  anything,  like  position  them¬ 
selves  or  have  physical  contact  with  a  reader, 
will  prove  faster,”  she  says.  She  refers  to 
a  conference  she  attended,  where  finger¬ 
scanning  door  locks  were  on  display.  “I 
was  laughing  because  I’m  a  mom— if  you’re 
standing  at  your  front  door  with  groceries 
and  a  baby,  you  want  the  door  to  recognize 
you  through  something  like  an  iris  scan¬ 
ner,”  she  says.  “The  guy  next  to  me  was 
from  Sweden— he  said,  ‘I’m  not  taking  off 
my  glove  in  the  winter  to  get  in  the  door.’” 

Daniel  Cook,  network  engineer  and 
software  technician  at  Bates  County  Memo¬ 
rial  Hospital  in  Butler,  Mo.,  switched  from  a 
fingerprint-based  to  a  vein  structure-based 
setup  from  Fujitsu  for  the  hospital’s  time- 
and-attendance  system.  The  old  system 
yielded  too  many  false  negatives.  Cook  said, 
denying  authorized  people  because  they 
had  abrasions  or  dirt  on  their  fingers. 

The  Fujitsu  system  is  more  accurate  and 
reads  a  lot  faster,  Cook  says,  and  employ¬ 
ees  prefer  it  because  the  sensor  is  more 
sanitary.  Users  hold  their  hand  up  to  a  sen¬ 


sor,  which  reads  the  veins  in  their  palms. 
Although  they  come  into  contact  with  two 
positioning  pieces  of  the  sensor,  “it’s  easy 
for  housekeeping  to  keep  clean,”  Cook  says. 
In  all,  there  are  eight  systems  implemented 
for  350  employees  at  the  hospital.  Cook  also 
considered  an  iris  scanner,  but  it  was  much 
more  expensive,  he  says. 

DO  keep  an  eye  on  standards.  Interoper¬ 
ability  has  been  a  key  obstacle  to  biometrics 
solutions  development,  according  to  Most, 
and  a  bitter  point  of  contention  within  the 
industry.  “Though  there  are  still  internal 
battles  regarding  proprietary  technol¬ 
ogy  approaches  and  solutions,  it  is  widely 
accepted  that  the  industry  as  a  whole  will 
not  progress  unless  uniform  standards 
allow  the  integration  of  technologies  from 
various  vendors,”  she  says.  Many  large 
commercial  and  government  contracts 
will  not  be  undertaken  without  the  ability 
to  select  image  capture  devices  and  algo¬ 
rithms  from  multiple  vendors.  Standards 
are  evolving,  and  some  third-party  vendors 
are  taking  on  the  interoperability  challenge, 
but  much  work  remains  to  be  done. 

DO  consider  applications  with  short¬ 
term  ROI.  Of  all  the  business  cases  to  use 
biometrics,  time -and- attendance  is  the  one 
with  the  shortest  and  most  certain  ROI, 
according  to  Most,  because  it  eliminates 
“buddy-punching,”  where  one  person 
clocks  in  for  another.  “Biometrics  not  only 
offers  the  only  effective  means  of  address¬ 
ing  this  business-breaking  problem,  but 
it  also  has  more  than  a  decade  of  proven 
performance,  reliability  and  cost  savings  in 
time-and-attendance  applications,”  Most 
says.  Industry  estimates  place  intentional 
and  error-driven  time  theft  in  the  range  of 
1.5%  to  10%  of  gross  payroll,  she  says. 

In  addition  to  stopping  buddy- punching, 
other  cost  savings  are  achieved  from  reduc¬ 
tions  in  overtime  and  payroll  expenses, 
ending  the  need  for  time-clock  supervi¬ 
sion,  and  eliminating  processes  and  sup¬ 
plies  related  to  time  cards,  badges  or  PINs. 
“Time-and-attendance  systems  absolutely 
pay  for  themselves  within  a  year,  whether 
it’s  a  small-scale  or  large  system,”  she  says. 

According  to  Raymond  Chera,  president 
of  RCNY  Restaurants,  using  DigitalDining 
POS  terminals  with  integrated  DigitalPer- 
sona  fingerprint  biometrics,  as  opposed  to 
the  typical  card-swipe  or  passcode  method 
of  logging  into  a  cash  register,  is  “a  no- 


EQUAL 

ERROR  RATE 

SYSTEM  COST 

ringerprints 

2%-3.3% 

High 

Vein  Structure 

N/A 

N/A 

iris  Structure 

| 

4.1%-4.6°/o 

Very  High 

- ! 

Voice 

_ 

0.1%-0.86% 

1 

Low 

Face  Topology 

• 

j 

i 

, 

4.1% 

High 

Source:  Compiled  from  research  by  Opus  Research,  Acuity  Market 

brainer”  in  the  fast-food  industry. 

With  the  traditional  system,  employees 
can  clock  in  friends,  and  managers’  orders 
can  be  put  through  by  anyone.  With  the 
biometric  system,  “no  one  can  sign  anyone 
else  in  or  use  anyone  else’s  information,”  he 
says.  The  cost  difference  was  minimal,  and 
“the  level  of  security  it  adds  to  my  business 
is  great— there  are  no  headaches  and  no 
worries,”  he  says.  Currently,  he  has  imple¬ 
mented  the  biometric  system  in  just  one 
location,  but  he  plans  to  use  it  in  all  41  new 
Arby’s  restaurants  the  company  is  slated  to 
open  in  New  York  in  the  next  decade. 

Another  low-hanging  fruit  is  using  voice 
biometrics  for  password  reset,  Miller  says: 

“It’s  probably  the  largest  point  solution  for 
voice  biometrics.”  With  renewed  empha¬ 
sis  (including  government  regulations)  on 
strong  passwords  or  frequent  resets,  voice- 
based  systems  can  alleviate  costs  associ¬ 
ated  with  help  desk  calls.  “This  is  using  an 
expensive  resource  to  do  something  that 
could  be  automated,”  Miller  says. 


22  www.csoonline.com  March  2010 


iques  Compared 


PROS 

CONS 

OUTLOOK 

.  .  ,  *  i 

SAMPLE  VENDORS 

Will  become  ubiquitous  in  mobile 
personal  devices  within  five  years. 

Significant  work  remains  in 
interoperability,  which  is  necessary 
for  fingerprints  scanning  to  become 
viable  beyond  personal  devices. 

Questions  remain  as  to  whether 
fingerprint  scanning  will  remain  a 
multiple-technology  solution-silicon, 
optical,  ultrasound-or  whether  optical 
scans  will  dominate,  captured  by  a 
camera  embedded  in  the  device. 

BioLink,  Bioscrypt,  DigitalPersona, 
Fulcrum  Biometrics,  IdentiMetrics,  L-l 
Identity  Solutions,  Precise  Biometrics, 
SecuGen,  Upek,  Xelios 

Strong  alternative  to  fingerprints 
for  government  and  commercial 
applications  where  active  user 
involvement  is  desired  and  a 
contactless  approach  is  preferred. 

Issues  have  arisen  with  the 
contactless  options,  as  some  kind 
of  guide  has  been  required.  Recent 
advances  in  high-speed  capture  have 
allowed  for  capture-in-motion,  which 
should  eventually  eliminate  the  need 
for  a  guide. 

It’s  made  significant  inroads  into  Asia 
and  will  likely  spread  to  North  America 
and  Europe.  Of  the  three  types  of  scan- 
ners-contact-based  finger,  contactless 
hand  and  contactless  back-of-the-hand- 
contactless  will  likely  dominate,  thanks 
to  hygienic  and  operational  advantages. 

Fujitsu,  Fujitsu  Services,  Hitachi 

Image-capture  devices  are  embeddable 
in  many  device  types,  including  phones, 
computers  and  POS  terminals.  Because 
it's  contactless  and  passive  (doesn’t 
require  the  user  to  do  anything),  it  is 
appropriate  for  applications  in  which 
speed  and  throughput  are  essential. 

Poor  image  capture  at  medium  (1-4 
meters)  and  long  (over  10  meters) 
distances.  Poor  resolution  in  low  and 
bright  light.  Expensive. 

Significant  growth  expected  over  the 
next  10  to  15  years,  as  capture  and 
resolution  problems  are  overcome  and 
high-quality  image-capture  devices 
become  inexpensive. 

Iridian  Technologies  (now  L-l) 

A  natural  choice  in  environments  where 
the  platform-land  and  mobile  phones- 
already  exists.  Also  natural  for  remote 
identity  verification,  such  as  password 
reset  over  the  phone. 

-  . .  — - . .    - - - J 

Voice’s  promise  will  be  realized  over 
the  next  few  years  as  channel  conflicts 
are  resolved.  It’s  often  combined  with 
additional  biometrics.  Market  share  will 
remain  relatively  small,  but  revenues 
will  grow  significantly. 

Agnitio,  Anovea,  Deepnet  Security, 
PerSay,  VoiceVault,  VoiceVerified 

-  -  --  --  . . . .   ■  - 

Significant  work  has  been  done  to 
improve  accuracy  and  performance. 
Passive  and  contactless  technology 
requires  less  of  the  user.  Commonly  used 
to  search  databases  for  applications  like 
drivers’  licenses,  passports,  visas  and 
digital  surveillance. 

Images  are  poor  quality  and  systems  are 
currently  expensive. 

Today’s  poor-quality  2-D  facial 
databases  will  give  way  to  3-D,  which 
will  become  the  standard  for  non-watch- 
list  applications.  In  the  next  five  years, 
face  will  overcome  its  shortcomings  and 
earn  a  solid  segment  of  the  marketplace, 
although  it  will  not  compete  with  iris 
structure  scanning. 

Sensible  Vision 

telligence  and  Gartner. 


This  can  be  the  camel’s  nose  under  the 
tent,  he  says.  “Once  someone  registers  a 
voice  print,  the  vendor  comes  back  and 
says,  ‘You  can  also  use  this  for  network 
access  control  or  to  harden  a  Voice  Over 
IP  network,  to  control  unwanted  access  to 
company  conference  calls,’”  he  says. 

DO  consider  multi-modal.  Biometrics 
solutions  will  increasingly  employ  more 
than  one  mode,  which  is  more  accurate  and 
secure.  For  instance,  one  biometric,  like 
face  recognition,  might  evaluate  subjects 
against  a  watch  list,  while  another,  like 
iris  recognition,  might  perform  one-to-one 
authentication  and  a  third  does  keystroke 
recognition. 

Allen  says  voice  is  often  used  in  a  multi¬ 
modal  way.  It  may  be  secure  enough  for 
identifying  and  authenticating  internal 
users  in  call-center  and  password-reset 
situations,  he  says,  but  some  organizations 
would  also  add  knowledgebase  authentica¬ 
tion  of  some  kind. 

Miller  concurs  that  starting  about 


two  years  ago,  major  voice  vendors  began 
talking  about  multifactor  authentication, 
partly  to  comply  with  government  man¬ 
dates  around  the  world  that  required  two- 
factor  authentication.  “Voice  vendors  with 
the  highest  promise  are  those  dovetailing 
their  voice  engine  with  an  existing  security 
infrastructure  that  has  been  built  around 
multiple  factors,”  Miller  says. 

DO  consider  non-centralized  storage. 
Clients  are  increasingly  interested  in  sys¬ 
tems  that  store  biometrics  data  on  a  smart 
card  or  memory  card,  such  as  an  existing 
building  access  card,  Allen  says.  With  this 
approach,  a  user  would  not  only  swipe  a 
card,  but  also  interact  with  a  biometric  sys¬ 
tem,  which  would  verify  his  identity  based 
on  information  stored  on  the  card. 

This  increases  security  because  it  stops 
the  practice  of  card-sharing,  whether  inno¬ 
cently  or  maliciously,  Allen  says.  Addition¬ 
ally,  rather  than  having  to  store  biometric 
data  in  a  central  location— which  requires 
a  network  and  raises  performance  con¬ 


siderations— there  is  no  reliance  on  a  net¬ 
work  connection.  This  is  reminiscent  of 
what  airports  use  today,  combining  smart 
cards  and  iris  recognition,  Allen  says.  The 
trade-off,  of  course,  is  user  convenience,  as 
well  as  cost.  “If  you  use  a  smart  card  with  a 
biometric,  it’s  an  increase  in  cost  per  user, 
and  it  adds  complexity  of  a  different  kind,” 
Allen  says. 

DON’T  overlook  multinational  restric¬ 
tions.  Allen  warns  that  before  making 
a  global  commitment  to  a  biometrics 
approach,  check  various  countries’  laws. 
For  instance,  French  law  places  restric¬ 
tions  on  centralized  storage  of  fingerprint 
data.  So  one  French  bank  he  knows  opted 
for  a  vein  structure  recognition  system, 
and  another  chose  to  store  finger  scan  data 
on  smart  cards  rather  than  in  a  central 
database.  ■ 


Mary  Brandel  is  a  frequent  contributor 
to  CSO.  Send  feedback  to  Editor  Derek  Slater 
at  dslater@cxo.com. 


March  2010  www.csoonline.com  23 


COVER  STORY  |  INFORMATION  SECURITY 


Adam  Shostack  is  co-author  of  The  New  School  of  Information 
Security,  security  specialist  at  Microsoft  and  ringleader  of  the  popu¬ 
lar  Emergent  Chaos  blog.  Forrester  Research  senior  analyst  Andrew 
Jaquith  is  former  senior  project  manager  at  Symantec  and former 
program  director  and  cofounder  of  @stahe. 


Shostack:  Howard  Schmidt  as  White  House 
cybersecurity  coordinator.  What  are  your  first 
g|.  yfc  'impressions? 

Jaquith:  I  have  two  thoughts  on  this.  The  first 
;  is  that  the  position  has  been  notoriously  difficult 
to  keep  people  in.  You  saw  what  happened  with  Amit  Yoran  and 
Methssa  Hathaway.  It’s  a  tough  job  with  tough  expectations  and 
very  little  authority,  so  I’d  say  congratulations  to  Howard.  I’m 
glad  he’s  stepping  up  and  I  think  he  is  someone  with  stature  and 
a  pedigree.  He’s  done  the  job  before.  I  hope  he  wall  take  some  of 

50-round  and  apply  it  in  his  sec¬ 


ond  go-round.  But  fundamentally,  it’s  a  pretty  tough  job  and  I 
it  hard  to  believe  that  anyone  could  fulfill  the  expectations  of  the 
role  given  the  tools  available  to  him. 

My  second  thought  is  that  Howard  needs  to  clue  up  a  little  bit 
in  terms  of  some  of  his  current  thinking.  I  did  see  the  predictions 
he  expressed  [in  the  article  “Ten  2010  IT  Security  Predictions,” 
•www.csoonline.com/article/Sii402]  and  I  think  it’s  great  that  he 
has  a  perspective.  On  the  other  hand,  a  lot  of  the  things  he  voiced 
weren’t  so  much  predictions  as  much  as  they  were  concerns. 
“We’re  concerned  about  social  networking.”  Well,  sure,  we’ve 
known  that  for  a  while.  “We’re  concerned  about  smartphone 
malware.”  I  would  argue  that  this  is  a  tempest  in  a 
something  that  will  never  come  to  pass  in  the  way  mi 
vendors  and  security  practitioners  think  it  will.  But, 
good  for  him  for  expressing  an  opinion  about  som 
been  expressed  before.  To  me,  though,  there  just  wasn’ 
the  way  of  real  forward-looking  predictions.  I  , think  he’s 
many  of  the  last  wars  in  20ip,  and  I’m  hoping  we  can 
more  vision  out  of  Mr.  Schmidt. 

Shostack:  Yeah,  but  come  on,  isn’t  that  what  1 


sionals  always  do?  Fight  the  last  war? 

Jaquith:  (Laughing)  Well... 

Shostack:  The  response  is  always,  “SSL  and  firewalls,  SSL 
and  firewalls.” 

Jaquith:  That’s  true.  We  do  tend  to  fight  the  last  war.  We’re 
rarely  out  in  front  of  the  next  one.  There’s  very  little  reconnais¬ 
sance  happening.  What  do  you  think  of  Howard’s  elevation? 

Shostack:  Well,  I  think  your  first  point  is  spot-on.  Everyone 
is  saying  that  without  the  authority  you  can’t  get  anything  done 
in  this  world.  I’m  sympathetic  to  that  view.  But  I  think  there’s  a 
lot  Howard  could  do  in  this  role  and  it  really  ties  back  into  the 
transparency  that  the  president  even  included  in  his  inaugural 
address.  The  federal  government  is  a  collection  of  some  of  the 
largest  enterprises  out  there  and  they  vary  a  lot  in  how  they  oper¬ 
ate  and  what  they  do.  As  a  result— and  I  believe  some  of  this  is 


that  are  occurring,”  and  let  us  study  that?  I  think  that  would  be  a 
transformative  step  that  I  expect  he  has  the  authority  to  drive,  and 
it’s  in  alignment  with  the  president’s  own  goals  for  his  adminis¬ 
tration  with  initiatives  like  Data.gov,  so  there’s  even  a  place  for  the 
data  to  live.  And  he  has  the* opportunity  to  talk  about  the  situation 
as  it  is.  A  lot  of  the  problem  is  that  everyone  wants  to  push  the 
problems  under  the  rug  and  not  say,  “Here’s  what’s  hitting  the 
enterprises.”  If  Howard  comes  out  with  the  authority  that  comes 
with  the  position  and  says,  “We’re  having  a  lot  of  trouble  doing 
this  and  we  believe  everyone  else  is  having  an  equal  amount  of 
trouble,  let’s  talk  about  it,”  he  can  have  an  impact  that  doesn’t 
require  him  to  force  anyone’s  hand  or  to  push  things. 

Jaquith:  A  couple  thoughts:  It’s  pretty  interesting.  I  believe  , 
the  first  thing  you  said  was,  Let’s  use  the  power  of  the  bully  pul¬ 
pit  and  some  of  the  authority  vested  in  the  position  to  compel  or 
require  federal  agencies  to  centrally  report  the  incidents  and  to 
put  that  out  in  public  so  that  people  in  the  private  sector  and  the$||^ 
research  community  can  take  a  look  at  it  and  leam  from  it,  but 
also  so  we  have  an  example  of  what  collaborative  security  indhv  f  - 
dent  data-sharing  is  all  about.  That’s  something  you  don’t  see  in 

March  2010,  ■ww.w.cs'oonhitf’irom.  SB 


of  these  agencies  is  reporting  on  a  regular  basis  to  US 


dents  it  has.  Wouldn’t  it  be  a  spectacular  act  of  transpar- 
put  that  data  out  there  and  say,  “Here  are  the  incidents 


COVER  STORY  |  INFORMATION  SECURITY 


a  big  way  at  the  federal  level  or  even  in  the  private  sector— having 
something  that  the  private  sector  can  work  with  and  understand. 
You  also  mentioned— and  I’d  like  to  spend  a  little  time  on  this- 
figuring  out  ways  to  bridge  the  gap  between  the  private-sector 
expertise  out  there  and  the  federal  level.  What  I  think  about  the 
divide  between  the  public  and  private  sector  is  this:  It’s  not  just 
that  they’re  governed  by  different  statutes  and  codes  of  conduct, 
it’s  different  languages.  When  I  think  federal,  I  think  FISMA  and 
FIPS  [Federal  Information  Processing  Standards]  and  SCAP 
[Security  Content  Automation  Protocol]— acronyms  people  in 
the  private  sector  look  at  and  say  “What  the  hell  is  that?”  There 
are  words  like  accreditation  and  certification  that  have  absolutely 
no  meaning  in  the  private  sector.  People  like  us  look  at  that  and 
say,  “Why  would  I  be  involved  in  federal  government  security  at 
all?  It’s  just  a  bunch  of  paper  pushing.”  To  me,  it  seems  like  maybe 
if  we  can  have  some  other  examples  out  there  that  are  derived  from 
the  public  experience,  then  we  can  start  to  start  to  stimulate  a  dia¬ 
logue  and  break  down  some  of  these  linguistic  cultural  barriers 
that  prevent  us  from  having  workable  best  practices  that  apply 
from  one  sphere  to  another.  Am  I  putting  words  in  your  mouth? 

Shostack:  I  think  that  is  a  side  effect  I’m  looking  forward  to. 
I  do  want  to  comment  on  your  comment  that  this  would  compel 
reporting— the  reporting  is  already  happening  under  current  law. 
But  yeah,  when  I  look  at  a  lot  of  what  the  federal  government  does, 
there’s  an  awful  lot  of  what  I  might  look  at  as  applied  policy.  What 
are  we  trying  to  achieve?  What  is  the  management  oversight— 
what  are  we  doing  to  ensure  a  degree  of  accountability?  But  these 
guys  are  also  operating  firewalls,  IDSes  [intrusion  detection  sys¬ 
tems],  encryption  programs,  they’re  training  their  users,  man¬ 
aging  user  accounts  and  access  controls  across  tremendously 
complex  systems.  What  if— with  all  sorts  of  requirements— we 
can  learn  from  them  and  they  can  learn  from  us?  But  the  first 
step  has  to  be  talking  about  what’s  happening.  As  long  as  we  look 
at  what  they  say  and  it’s  all  about  SCAP,  FISMA  and  the  related 
acronym  soup,  it’s  very  hard  to  build  bridges.  But  if  we  can  actu¬ 
ally  get  down  to  brass  tacks,  we  can  say,  “Oh  look,  you  guys  are 
dealing  with  this  problem  and  how  is  that  working  out  for  you? 
Of  the  50-odd  firewall  brands  in  use  in  the  federal  government, 
which  ones  are  the  most  effective  at  stopping  attacks?  Is  there  a 
correlation  between  firewall  brand  and  the  number  of  attacks  that 
make  it  through?” 

Jaquith:  Yup.  Makes  sense  to  me.  So,  what’s  your  bottom  line, 
Adam?  Is  it  that  Schmidt  is  a  good  appointment?  Bad  appoint¬ 
ment?  How  do  you  handicap  his  chances  of  success? 

Shostack:  Schmidt’s  a  good  appointment.  As  you  pointed 
out,  it’s  a  hard  position  to  work  in.  I  think  the  big  question  is, 
what  do  you  want  out  of  success?  Is  he  going  to  make  the  prob¬ 
lem  go  away?  Nope.  We’re  always  going  to  have  cybercrime.  We’re 
always  going  to  have  people  hacking  into  federal  computers.  If  the 
question  is  if  he  will  make  things  better,  I  think  the  key  question 
for  me  is  if  he  is  going  to  decide  to  do  some  of  the  same  things 
we’ve  always  done  or  is  he  going  to  ask  why  some  of  those  things 
did  not  take  off  or  succeed.  I’m  optimistic  that  he’s  going  to  bring 
in  that  new  thinking.  I  give  him  a  60  percent  chance  of  success. 

Jaquith:  Wow.  Not  bad.  My  bottom  line:  He’s  a  fair  choice  at 
best.  I’d  like  to  see  someone  who  is  a  little  more  of  a  visionary 


who’s  not  rehashing  last  year’s  vulnerability  stories. 

But  that  aside,  I  think  the  best  thing  he  could  do  is  pick  a  series 
of  themes  to  riff  on.  This  is  a  little  like  the  Obama  campaign  itself: 
Pick  a  couple  things  to  really  execute  on  and  just  do  it.  So,  for 
example,  are  you  going  to  secure  the  federal  agencies?  OK,  fine. 
There’s  a  lot  of  ways  you  can  do  that.  Are  you  going  to  work  in 
the  consumer  space  and  make  consumers  more  aware  and,  as  a 
result,  less  affected  by  what’s  happening  out  there?  Are  you  going 
to  work  to  provide  some  consistency  among  the  different  agen¬ 
cies?  Probably  not,  but  that’s  certainly  an  angle  you  could  go  on 
as  well.  I  think  for  me  the  answer  is:  Pick  an  objective,  one  or  two 
things  you  can  do  well,  and  go  with  it.  Otherwise,  it’s  going  to  be 
a  very  watered- down  role  without  a  lot  of  authority  or  results  to 
show  for  it.  I  give  him  a  50-50  chance  of  succeeding.  Unsuccessful 
means  flaming  out  and  leaving  within  a  year  or  a  year  and  a  half. 

Shostack:  That  would  be  longer  than  any  previous  czar  has 
made  it  through  the  role.  (Both  laugh.) 

rjJTTl  Data  Breaches:  will  Awareness 
Drive  Improvement? 

0  I  Jaquith:  You  and  I  have  been  looking  a  lot 
at  some  of  the  data  breach  incidents  that  have 
popped  up  and  some  of  the  centralized  and  con- 
M  JUgi  solidated  areas.  Are  these  things  good  for  secu¬ 
rity?  Are  they  driving  corporate  budgets  and 
awareness?  Or  do  you  think  these  things  are  just 
ushering  in  another  era  of  snake-oil  sales  of  stuff  that’s  advertised 
as  fixing  the  problem?  Would  people  stampede  to  buy  full-disc 
encryption  as  spray-on  auditor  repellent  as  opposed  to  as  a  secu¬ 
rity  measure? 

Shostack:  In  the  short  term,  your  cynical  view  is  not  inac¬ 
curate.  But  people  have  always  been  jumping  on  the  latest  secu¬ 
rity  technology  bandwagon  and  the  latest  threat  story  as  a  way  to 
move  what  they  have.  That’s  a  natural  part  of  business.  Unless  the 
story  is  Tiger  Woods,  you  attach  your  brand  to  the  story. 

Jaquith:  I  think  you’re  right.  Or,  more  accurately  in  the  case  of 
Tiger  Woods,  you  detach  your  brand  from  the  story. 

Shostack:  I  think  that  in  the  longer  term,  the  theme  for  me 
is  really  around  transparency.  We’ve  had  people  doing  the  same 
thing  over  and  over  again.  Anyone  in  the  trenches  knows  there 
have  been  problems  we  can’t  get  a  good  handle  on.  We  need  to 
be  grappling  with  a  different  set  of  issues.  To  me,  the  great  thing 
about  something  like  the  Verizon  Report,  like  DataLoss  DB,  is  that 
whatever  biases  or  weaknesses  they  have,  they  are  big  enough  sets 
of  data— and  I  would  love  to  see  the  Verizon  folks  release  more  of 
their  underlying  data— but  there  are  really  enough  there,  enough 
cross-organizational  study,  that  we  can  get  a  handle  on  the  fact 
that,  yeah,  lost  and  stolen  laptops  are  in  fact  a  big  deal.  Are  they 
being  exploited?  Well,  we  really  don’t  know  and  we  argue  about 
it  because  you  have  to  disclose  the  incident  but  there’s  no  way  to 
track  between  the  incident  and  the  impact.  If  my  Social  Security 
number  is  on  a  tape  that  falls  off  the  back  of  a  truck,  we  can  argue 
until  we’re  blue  in  the  face  because  there’s  no  insight  into  what 
happens.  I’m  not  exactly  sure  how  we’re  going  to  get  transparency 
on  that  end  of  things.  But  without  that  sort  of  understanding,  you 
know,  a  lot  of  people  talk  about  how  we  need  risk  management 


26  www.csoonline.com  March  2010 


in  security,  we  need  a  risk-of-harm  trigger  before  we  tell  people. 
I  think  the  risk-of-harm  trigger  is  the  lawyer’s  full-employment 
act  because  one,  you’re  going  to  pay  a  set  of  lawyers  to  argue  about 
it,  and  two,  the  minute  you  make  the  call,  you’re  going  to  expose 
yourself  to  litigation  from  someone  who  doesn’t  like  the  call  that 
you  made.  In  the  end,  though,  notifying  people  has  turned  out  to 
be  not  a  bad  thing.  If  you  look  at  the  Ponemon  Institute’s  numbers 
and  you  look  at  the  expected  current  cost  versus  the  future  cost: 
The  current  costs  are  declining  and  the  future  costs  are  going  up. 
What  do  you  think? 

Jaquith:  Well,  I  actually  think  the  spate  of  data  breach  disclo¬ 
sure  laws  are  fantastic  because  you  start  to  get  some  real  trans¬ 
parency.  I  use  a  lot  of  the  DataLoss  DB  guys’  information  pretty 
regularly,  and  one  thing  we  recommend  clients  do  when  trying 
to  justify  a  security  initiative  is  using  a  database  like  that  to  find 
examples  of  peers  who  have  had  similar  trouble  and  use  that  to 
justify  an  initiative.  When  you  find  those  real  concrete  examples, 
it’s  easier  to  visualize  the  scenario  and  makes  the  danger  more 
clear  and  present.  Another  thing  that  has  been  very  interesting 
about  the  breach  disclosure  laws  is  that  in  a  bass-ackwards  way, 
it’s  pushing  the  United  States  closer  to  the  European  Union  in 
how  it  handles  personal  information,  making  it  less  of  a  commod¬ 
ity  that  can  be  owned  and  moved  around  by  marketers,  turning  it 
into  a  commodity  that’s  a  little  more  toxic.  It  may  mean  we  side¬ 
step  into  an  E.U.  data-protection  regime. 

Shostack:  Bottom  line:  To  take  this  to  the  next  level,  what  do 
you  think  that  would  be? 

Jaquith:  I  think  the  next  step  is  the  mandatory  gathering  of— 
you  know,  if  I  were  putting  on  my  legislation  hat  and  looking  to 
improve  some  of  the  existing  data-breach  laws— I’d  want  to  make 
sure  some  clear  thresholds  kicked  in  on  when  you  have  to  report 
and  when  you  don’t,  and  that  when  you  report  you  put  them  into 
a  consolidated  area,  such  as  with  the  attorney  general.  I  know  this 
has  happened  with  certain  statutes,  but  it’s  not  the  case  in  all  45  or 
so  the  breach  laws.  That  would  be  the  first  step. 

Shostack:  It’s  absolutely  fascinating  how  DataLoss  DB  is  just 
a  private  nonprofit  initiative  that  has  generated  so  much  value  for 
the  industry.  I’d  love  to  see  either  government  funding  coming  in 
to  pay  them  to  do  it  more,  better,  faster,  more  completely,  or  give 
them  a  nice  pat  on  the  back  and  set  up  a  government-sector  com¬ 
petitor  that  would  capture  the  data  and  add  to  it  in  various  ways. 

Predictions:  What  Happens 
During  the  Next  Five  Years 

I  Shostack:  You  took  some  hard  swipes  at 
M  Howard’s  predictions.  So  what  do  you  think  is 

B  g  going  to  happen?  What’s  your  forward-looking 
perspective  on  the  next  five  years  of  cybersecu- 
JM  rity?  What  should  people  be  worrying  about? 

Jaquith:  I  got  my  enterprise  hat  on  for  the  most  part  so  I’ll 
keep  my  comments  there.  In  the  corporate  world,  from  a  security 
standpoint,  the  IT  security  budgets  are  pretty  much  flat.  There 
hasn’t  been  much  movement  in  the  last  several  years  and  we  don’t 
think  anything  especially  noteworthy  is  going  to  happen  on  the 
budget  front  in  2010-11. 

Shostack:  Wait  a  minute:  So  with  rising  cybercrime,  an 


increase  in  breaches  and  malware,  you  don’t  see  budgets  going 
up  at  all? 

Jaquith:  Well,  it’s  possible,  but  overall  IT  budgets  in  general 
aren’t  going  up  too  much  and  security  is  pretty  much  the  same. 
We’ve  gone  through  this  period  where  security  budgets  had  gone 
up  20  percent  year  over  year  until  about  three  years  ago  when  it 
started  to  level  off.  At  a  certain  point,  information  security  officers 
have  got  to  be  asked  by  their  bosses,  “What  are  we  getting  for  all 
the  money  we’ve  spent?”  I  think  budget  pressures  are  going  to  be 
there,  but  I  also  agree  the  threat  landscape  will  increase. 

So  what  does  this  mean?  It  means,  frankly,  that  we’ve  got  a 
nice,  consolidated  vendor  marketplace  right  now,  and  we’re  going 
to  see  a  lot  more  price  competition.  Looking  at  things  like  DLP 
[data  loss  prevention]  and  encryption,  we’re  going  to  see  a  flat 
budget.  But  customers  are  going  to  get  better  deals.  You’ve  got  a 
lot  of  dynamics  in  the  marketplace.  For  example,  the  lower-end 
device-control  vendors  will  want  to  add  DLP  to  the  more  sim¬ 
ple-minded  USB-blocking  software  and  the  like,  and  you’ve  got 
incumbent  vendors  with  DLP  for  enterprise  looking  to  go  down¬ 
market,  moving  this  stuff  through  the  channel.  These  things  will 
get  a  lot  cheaper,  and  that’s  key.  The  next  prediction  is  that  it’ll 
still  be  good  to  be  in  the  encryption  business  because  the  common 
denominators  you  see  in  all  these  disclosure  laws  is  that  there’s 
an  explicit  carve-out  for  all  the  encrypted  devices  for  those  car¬ 
rying  personal  information.  We  can  argue  over  whether  this  is 
the  right  thing  to  do  or  not,  but  the  point  is  that  because  this  safe 
harbor  exists,  you’re  going  to  see  this  software  continue  to  make 
a  lot  of  headway  because  customers  are  going  to  do  what  they  can 
to  comply,  and  if  the  easiest  way  to  comply  is  to  encrypt  hardware 
or  something  like  an  iPhone  3GS,  this  is  the  easiest  way  to  comply 
with  the  letter  of  the  law,  if  not  always  the  spirit  of  the  law. 

So  how  about  yourself? 

Shostack:  Let’s  start  with  the  pessimistic  view,  and  I’ll  har¬ 
ken  back  to  the  Howard  Schmidt  story:  My  pessimistic  view  is 
that  we’ll  have  the  same  security  issues  and  plans  we  had  five 
years  ago  and  we’re  not  going  to  make  a  lot  of  progress.  My  more 
optimistic  view  is  that  there’s  really  a  rise  in  security  as  an  aspect 
of  other  disciplines:  The  security  in  human  behavior  workshops, 
the  security  and  usability  and  privacy  conferences.  As  we  start 
to  see  those  things,  we’ll  also  see  some  surprising  and  amazing 
things  in  terms  of  what  we  need  to  do.  My  realistic  view  is  that 
these  trends  are  starting  to  pick  up  and  get  noticed.  So  over  the 
next  few  years  it  becomes  easier  not  to  get  more  budget  but  to 
target  your  budget  more  efficiently.  So  in  the  future  it  becomes 
easier  to  push  back  on  your  auditors  when  they  tell  you  it’s  a  best 
practice  to  force  a  log-out  on  this  site  after  10  minutes.  Well,  why 
10  minutes?  It  becomes  easier  to  have  a  more  data-driven  conver¬ 
sation  with  your  marketing  departments:  “No,  we  can’t  put  a  list 
of  names  and  SSNs  out  on  an  FTP  site  and  hope  nobody  is  going 
to  notice.”  While  we’re  looking  at  a  lot  of  scary  stuff  as  practi¬ 
tioners,  the  meta  level  is  actually  getting  much  clearer  and  much 
better.  As  that  stuff  clarifies,  it  will  make  it  easier  to  operate  at  a 
very  practical  level. 

Jaquith:  I  hope  you’re  right  about  that,  particularly  around 
things  like  usability  and  this  idea  of  finding  the  right  balance 
between  what  is  good  security  and  what’s  usable.  ■ 


March  2010  www.csoonline.com  27 


ACCESS  CONTROL 


lockers— even  doors.  Do  you  know  where  they  are  and 
what  they  go  to?  by  michael  Fitzgerald 


mANY  WORKERS  NO  LONGER  get  a  key  to  the  office,  at 

least  in  the  physical  sense.  They  get  a  pass  card,  an  electronic 
key  programmed  to  get  them  into  the  office  and  that  can  be  set  to 
deny  them  access  to  restricted  areas.  But  that  doesn’t  mean  the 
mechanical  lock  and  key  are  gone.  They’re  just  less  visible  than 


they  used  to  be,  and  thus  easier  to  forget. 
That  makes  them  an  unexpected  security 
vulnerability. 

Mechanical  keys  create  unique  security 
headaches— ironic,  since  the  key  was  obvi¬ 
ously  created  as  a  security  device.  Earlier 
this  year,  at  least  $2,000  was  stolen  from 
police  evidence  lockers  in  Fruitland  Park, 
Fla.  It  turned  out  that  the  city’s  master 
key  opened  the  evidence  lockers  and  also 
the  city’s  vault,  which  was  discovered 
only  after  one  copy  of  the  key  went  miss¬ 
ing.  Separately,  RBC  Bank  was  forced  to 
change  the  locks  on  112  branches  when  a 
master  key  machine  was  stolen  from  a  ser¬ 
vice  van.  Keys  don’t  have  to  go  missing  to  be 
a  security  hazard:  In  2008,  a  jailbreak  was 


attributed  to  a  corrections  officer  leaving  a 
key  in  a  lock  while  he  worked  to  fix  a  toilet. 
The  key  was  pilfered  and  passed  along  to 
other  inmates  in  the  cell  block.  They  used 
it  to  unlock  other  plumbing  closets,  then 
returned  it  to  the  lock,  all  in  the  space  of 
about  10  minutes.  Then  eight  convicts, 
including  a  convicted  murderer,  snuck  into 
one  of  the  closets,  cut  a  hole  in  the  ceiling 
and  escaped. 

Mechanical  key  systems  still  repre¬ 
sented  a  $4.7  billion  market  in  the  United 
States  in  2007,  according  to  Freedonia 
Group,  a  market  research  firm  in  Cleveland, 
Ohio.  That’s  much  smaller  than  electronic 
access  systems,  which  accounted  for  $7.8 
billion  in  sales  and  represent  the  fastest- 


growing  part  of  the  $62  billion  security 
equipment  market.  Even  so,  Freedonia 
projects  U.S.  mechanical  key  sales  will 
grow  at  about  2.8  percent  annually  through 
2012.  Plus,  demand  from  emerging  markets 
worldwide  means  mechanical  systems  still 
make  up  the  biggest  part  of  the  market  for 
physical  access  control. 

Electronic  access  cards  offer  versa¬ 
tility-one  card  can  be  programmed  to 
access  parking,  the  front  door,  the  office 
and  the  vending  machine,  says  Paul  Ever¬ 
ett,  research  director  for  IMS  Research’s 
access  control,  fire  and  security  group. 
They’re  also  easier  to  manage.  But,  he  says, 
electronic  systems  typically  cost  more,  and 
may  not  make  financial  sense  unless  a  firm 
wants  to  avoid  having  to  manage  hundreds 
or  thousands  of  keys.  There’s  also  the  sim¬ 
ple  familiarity  issue:  We’re  accustomed  to 
using  keys. 

Even  today,  very  few  buildings  in  the 
United  States  are  built  without  physical 
locks.  In  fact,  “You  can  look  at  electronic 
key  systems  as  add-ons”  to  mechani- 


28  www.csoonline.com  March  2010 


Illustration  by  Anastasia  Vasilakis 


March  2010  www.csoonlme.com 


ACCESS  CONTROL 


cal  locks,  says  James  Spivey,  president  of 
Security  Risk  Management  in  Charlotte, 
N.C.  Spivey  says  that  some  extremely  high- 
security  government  buildings,  primarily 
for  defense  use,  do  not  use  any  mechani¬ 
cal  locks,  but  otherwise  the  mechanical 
lock  remains  an  essential  element  of  build¬ 
ing  security.  Even  if  doors  have  electronic 
access  control,  internal  systems  with 
mechanical  keys  may  include  HVAC  con¬ 
trols,  elevator  controls,  electrical  boxes, 
medicine  cabinets  and  generators. 

While  electronic  keycard  systems 
are  easier  to  manage  from  a  central  loca¬ 
tion  than  physical  keys,  Spivey  says  that 
mechanical  keys  continue  to  have  impor¬ 
tant  advantages:  Notably,  they  still  work 
when  the  power  goes  out. 

Keys  are  “very,  very  important— most 
electronic  systems  you  put  in  place  usually 
have  key  backup,”  says  Bernard  Scaglione, 
director  of  physical  security  at  the  Weill 
Medical  campus  of  NewYork-Presbyterian 
Hospital.  He  says  keys  will  never  go  away— 
“electronics  fail,  and  you  need  an  override.” 

Scaglione  employs  three  full-time  lock¬ 
smiths  among  a  security  staff  of  150.  This 
year  he  will  spend  about  20  percent  of  his 
$6.5  million  operational  budget  on  mechan¬ 
ical  locks,  in  part  because  of  extensive  reno¬ 
vations  taking  place  in  the  4  million  square 
feet  of  facilities  he  manages.  A  normal  year 
would  see  about  five  to  seven  percent  of 
the  budget  going  to  handle  key  changes.  In 
contrast,  between  30  and  40  percent  of  the 
budget  will  go  to  installing  new  electronic 
card  systems  this  year,  also  unusually  high 
due  to  renovations.  NewYork-Presbyterian, 
like  many  big  institutions,  pays  for  exclu¬ 
sive  copies  of  key  blanks  so  the  keys  cannot 
be  copied  at  outside  locksmiths. 

Scaglione  notes  that  when  a  card  reader 
is  added  to  a  door,  the  existing  lock  is  not 
usually  removed. 

Electronic  keycard  systems  can  be  set 
to  ring  alarms  if  someone  uses  a  physical 
key  to  get  into  a  door,  but  these  setups  are 
prone  to  hacks,  says  Spivey.  Employees  will 
prop  doors  open  when  they  go  out  to  smoke 
or  run  a  quick  errand.  His  firm  recently 
engaged  in  a  systems  assessment  at  a  facility 
that  had  130  access  control  doors:  70  on  its 
main  campus  and  60  in  remote  locations.  It 
found  that  the  alarms  went  off  40,000  times 
a  month.  It  turned  out  that  the  system  was 
poorly  engineered,  causing  an  alarm  to  ring 


How  old  are  keys? 
Wooden  door  locks 
and  keys  discovered 
in  the  Middle  East 
have  been  dated 
at  4,000  years  old 
or  more. 


almost  any  time  a  door  was  opened.  Spivey 
says  he  told  the  client  to  simply  unlock  the 
doors.  “Nobody’s  going  to  respond  if  there’s 
an  alarm,”  he  says. 

Since  mechanical  keys  aren’t  going 
away,  the  challenge  is  to  manage  them  more 
effectively  in  hopes  of  avoiding  nightmares 
like  having  a  master  key  go  missing.  When 
mechanical  keys  are  used  as  a  system  over¬ 
ride,  they  eliminate  an  audit  trail.  These 
trails  matter,  says  Scaglione,  because  a  typ¬ 
ical  day  might  see  his  department  fielding 
requests  on  subjects  ranging  from  thefts  to 
whether  the  custodial  staff  came  in  to  clean. 
NewYork-Presbyterian  has  used  some  form 
of  key  control  box  for  the  14  years  Scaglione 
has  worked  there.  With  such  systems,  keys 
to  various  parts  of  the  building  are  stored 
in  one  box,  controlled  by  an  administrator 
or  security  person,  and  logging  is  comput¬ 
erized.  Such  systems  replaced  manual  logs, 
where  supervisors  wrote  down  the  number 
of  a  key  taken,  who  took  it  and  when  it  was 
returned. 

In  Scaglione’s  case,  NewYork-Presbyte- 
rian’s  pharmacies  adopted  a  key-manage¬ 
ment  system  made  by  Morse  Watchmans, 
one  of  a  number  of  companies  in  this  busi¬ 
ness  (others  include  KeyTrak  and  KEYper 
Systems).  It  automates  the  process  of  track¬ 
ing  who  checks  keys  out  and  what  keys  go 
to  what  locks,  helping  determine  who  has 
access  to  what  supplies  for  specific  periods. 
In  addition,  in  an  emergency  such  as  fire  or 
flooding  due  to  a  broken  pipe,  the  system 
helps  the  hospital  track  and  control  who 
gets  access  to  keys. 


Scaglione  says  one  new  facet  of  key 
management  technology  that  he  thinks  is 
worth  noting  is  the  integration  of  cameras 
with  mechanical  lock- and- key  systems.  The 
cameras  snap  photos  of  anyone  who  uses  a 
physical  key.  Though  the  hospital  has  yet  to 
adopt  such  a  system,  he  thinks  it  would  be 
useful  in  high-risk  areas  like  drug  supply 
cabinets  and  operating  rooms,  which  con¬ 
tain  valuable  equipment. 

At  Sheppard  Air  Force  Base  in  Wichita 
Falls,  Texas,  Tech.  Sgt.  Michael  Klumpp 
implemented  a  KeyTrak  key  control  sys¬ 
tem  in  2001  to  help  create  better  audit  trails 
at  the  252-room  dormitory  he  oversaw.  His 
previous  system  was  a  padlocked  metal 
box  that  held  keys  to  each  room,  including 
a  backup  key  in  case  plumbing,  mainte¬ 
nance  or  other  work  was  needed.  A  ledger 
was  used  for  signing  keys  in  and  out.  He 
and  another  supervisor  controlled  the  pad¬ 
lock,  but  there  were  issues  with  tracking 
the  paper  receipts  when  keys  were  checked 
out.  He  worried  also  that  if  someone  cut  the 
padlock,  that  person  could  easily  access  any 
room  in  the  building,  because  all  the  keys 
were  in  order,  labeled  by  room  number. 

The  KeyTrak  system  is  controlled  by  a 
PC,  which  allows  access  to  the  keys  only 
after  the  correct  code  is  entered.  Keys  are 
separated  into  drawers  based  on  how  many 
keys  there  are  (his  facility  needed  two  draw¬ 
ers).  But  keys  aren’t  labeled  or  kept  in  order, 
increasing  security  in  case  of  a  system 
breach.  Klumpp  said  the  system  has  made 
it  simpler  to  audit  who’s  using  rooms.  It 
also  allowed  him  to  track  room  inventories. 
He  subsequently  installed  it  in  three  large 
new  dorms  and  recommended  it  to  coun¬ 
terparts  at  two  other  military  bases. 

It’s  not  a  perfect  system— for  example, 
it’s  proprietary  and  requires  occupants’ 
personal  information  to  be  entered  sepa¬ 
rately  into  its  database,  even  if  they’ve 
already  been  enrolled  in  another  system. 
Klumpp,  now  a  civilian  engineer  at  the  base, 
says  this  “double  entry”  problem  was  one 
reason  that  subsequent  managers  decided 
not  to  adopt  the  system  in  a  new  dorm.  But 
it’s  still  in  use  in  the  facilities  where  he  had 
it  installed  as  well  as  at  the  base’s  hospital. 
“It  was  a  big  improvement,”  he  said.  ■ 


Michael  Fitzgerald  is  a  frequent  contributor  to 
CSO.  Send  feedback  to  Editor  Derek  Slater  at 
dslater@cxo.com. 


30  www.csoonline.com  March  2010 


[  cso  view] 

By  George  Campbell 


Measuring  the  Health  of 
Corporate  Security 


The  last  thing  any  of  us  need 
these  days  is  another  unin¬ 
formed  discourse  on  health 
care,  but  I  tend  to  wade  in 
where  others  have  the  com¬ 
mon  sense  to  keep  out.  I  see  a  measurably 
effective  corporate  security  organization  as 
a  group  of  risk-management  practitioners 
and  first  responders  engaged  in  maintain¬ 
ing  the  health  of  the  businesses  we  serve. 
We  evaluate  risk  profiles,  do  wellness  exam¬ 
inations,  prescribe  anti-viral  medications 
and  other  safeguards,  and  maintain  an 
emergency  response  capability.  In  post-op, 
we  (hopefully)  learn  what  attacked  a  vital 
element  of  our  entrepreneurial  organism 
and  how  it  did  so.  To  round  out  the  anal¬ 
ogy,  patients  are  often  tempted  to  complain 
about  the  bill  unless  our  efforts  clearly 
involved  brand  preservation. 

So  here  we  are,  deep  in  the  process  of 
building  a  proactive,  multidimensional 
security  program,  and  we  need  to  focus  on 
best  practices.  But  if  we  look  at  the  alleg¬ 
edly  authoritative  lexicon  of  business  risk 
management,  we  don’t  find  our  role  listed. 
Why  not? 

Doesn’t  the  term  “corporate  security” 
conjure  up  some  thoughts  of  the  enterprise 
risk-management  business?  If  the  allegedly 
informed  lexicon  does  not  incorporate  our 
input  into  the  risk  framework,  what  might 
be  missing  from  the  mahogany  row  and 
board-level  consideration  of  risk?  Don’t 
we  have  a  stake  in  enterprise  risk-manage¬ 
ment  strategy?  If  this  is  the  agenda  and  we 
aren’t  on  it,  how  do  our  business-relevant 
risk  indicators  make  it  into  the  enterprise 
health  check? 

I  am  going  to  approach  this  assuming 
that  we  should  be  on  a  corporate  agenda, 
one  that  strives  to  do  the  right  thing  and 


sees  us  as  integral  to  fulfilling  our  obliga¬ 
tion  to  protect  our  shareholders,  our  brand 
and  our  people.  The  heart  of  our  mission 
is  our  ability  to  materially  impact  the  risks 
that  the  businesses  we  serve  face.  So  while 
I’ll  not  claim  it’s  the  exclusive  measure  of 
company  health,  I  firmly  believe  that  this 
should  be  a  primary  focus  of  an  organiza¬ 
tional  health  check. 


A  critical  measure  of  our  fitness  is  our 
ability  to  influence.  Influence  is  based  on 
trust  and  confidence.  How  well  we  man¬ 
age  the  quality  and  integrity  of  the  trea¬ 
sure  trove  of  data  we  harvest  and  utilize 
throughout  our  security  operations  fuels 
trust  and  confidence.  Providing  quality 
information  and  reliable  counsel  sets  us  a 
place  at  the  table.  We  need  senior  manage¬ 
ment  to  engage  with  the  security  agenda 
and  factor  it  into  their  appetite  for  risk,  to 
set  expectations  and  hold  people  account¬ 
able.  The  proof  of  their  trust  is  them  buying 
the  script  because  they  are  confident  in  the 
competence  of  the  writer. 

Our  ability  to  understand  the  diver¬ 
sity  and  dynamics  of  the  risk  landscape 


is  directly  proportional  to  our  capacity  to 
learn— to  draw  verifiable  conclusions  that 
support  sound  decision  making.  We  enjoy 
a  unique  perch  with  a  great  view  of  risky 
business  behaviors  and  processes.  From 
here,  we  can  catch  sight  of  leading  indica¬ 
tors  that  give  early  warning  of  problems 
and  allow  us  to  foresee  potential  outcomes. 
This  vantage  enables  prevention  and  pre¬ 
paredness-developing  plans,  position¬ 
ing  safeguards,  training  first  responders, 
establishing  fail-over  tactics  and  assuring 
employees’  awareness  at  the  business  pro¬ 
cess  level.  We  are  paid  to  anticipate  likely 
scenarios,  given  our  risk  portfolios. 

Assuming  we  sold  the  business  case, 
we  are  expected  to  produce  positive  results. 
However,  we  are  measured  one  incident  at  a 
time  and,  as  my  CEO  often  said,  “We  learn 
more  from  our  mistakes  than  from  our  suc¬ 
cesses.”  It  boils  down  to  the  competence  of 
our  response  and  our  ability  to  learn  from 
experience.  What  worked  and  why?  What 
did  we  discover  about  exploitable  vulner¬ 
abilities  and  process-level  execution  by 
accountable  parties?  What  should  we  con¬ 
clude  when  the  problems  persist  after  we 
communicate  the  nature  of  the  evolving 
risk  and  attempt  to  engage  the  right  people 
in  solutions? 

We  are  an  integral  part  of  the  enter¬ 
prise  risk  management  (ERM)  framework 
regardless  of  how  it  is  structured.  However, 
ERM  in  many  companies  can  be  backward- 
focused  and  limited  in  its  scope.  Our  role  in 
enterprise  health  requires  us  to  focus  on 
learning— evaluating  how  well  our  pro¬ 
grams  manage  risk,  resulting  in  deeper  pen¬ 
etration  in  business  risk  management.  " 


George  Campbell  is  an  emeritus  faculty  member 
of  the  Security  Executive  Council. 


Photo  by  Dana  Smith 


March  2010  www.csoonline.com  31 


[  debriefing] 


Classified  Information 

Can’t  find  a  new  job?  That’s  probably  because  you’re  looking  for  old 
jobs.  This  dynamic  field  doesn’t  stand  still.  Stop  searching  for  “chief 
security  officer”  and  start  looking  for  classifieds  like  these: 


Certification  Manager 
Urgently  Needed 

Can  you  explain  the  difference  between  CPP  and 
CIPP?  Have  you  framed  your  ISECOM  QSSTMM 
and  your  ISC2  CSSLP?  Do  you  know  which  four 
BC/DR  certs  together  form  an  anagram  for  SPINY 
ECHIDNA? 

Join  our  team  and  help  our  experienced 
security  professionals  gain  and  maintain  their 
professional  certifications. 

Hurry,  because  our  HR  department  can’t 
make  heads  or  tails  out  of  this  stuff. 


It’s  All  About  The  Numbers 

You’re  all  about  providing  value.  You  can 
spin  gold  from  straw  using  an  abacus  and 
an  Underwood.  You’ve  got  ten-plus  years’ 
experience  building  dashboards  and  proving 
the  worth  of  security  measures  from  the 
boardroom  level  down  to  particular  firewall 
rules.  That  makes  you  the  perfect  match  for  our 
Security  Value  Guru  post. 

Responsibilities  include: 

■  Selection  and  validation  of  appropriate 
financial  value  metrics  from  among  the 
following:  TCO,  ROSI,  EVA,  NPV,  OPM 

■  Initial  capture  and  analysis  of  operational 
data  from  our  security  systems,  with 
translation  into  action  items 

■  Production  of  daily,  weekly,  monthly, 
quarterly,  annual  and  centurial  reports  in 
spreadsheet,  PowerPoint  and  laser/lightshow 
formats 

This  is  a  ground-floor  opportunity-right  now 
we’ve  got  nothing! 


Hiring  Surveillance 

Security  Czar 

Video  System  Analysts 

Finding  Program 

(seven  positions  open!) 

Sunset  Manager 

We're  an  old-school  manufacturer 

with  a  new-era  mind-set,  and  a 

Whew,  finally  found 

smart  company  deserves  a  smart 

somebody  to  take  the 

surveillance  system.  So  we  just 

Cybersecurity  Czar 

replaced  four  very  expensive  guards 

position.  Now  we  need  i 

with  a  state-of-the-art  intelligent 

an  experienced  project 

video  system. 

manager  to  help  us 

Now  we’re  looking  to  tune  the 

system,  eliminate  false  positives, 

dismantle  the  Cyberse- 

analyze  camera  angles,  manage 

curity  Czar  Finding  Pro- 

MAC  (moves,  adds,  changes)  activity, 

gram  Office.  Temporary 

optimize  network  performance  and 

position  that  must  wrap 

compression  schemes,  spec  out 

up  within  two  years,  in 

storage  requirements,  and  create 

a  10-year  continual  upgrade 

Ldjtf  Wc  liccU  IU  1  Uhlctl  l. 

technology  road  map. 

Apply  now-we  need  to  fill  these 

seven  reqs  to  start  maximizing  our 

Infosec  Twitter 

manpower  savings. 

Liaison  (fulltime) 

Vnn  know  what  wp  rpaliv 

VP  of  Cloud  Stuff 

need?  What  our  security 

department  really 

You’re  our  man  or  woman  if  you  can 

needs  is  for  somebody 

answer  these  questions: 

to  spend  all  day  using 

■  Where  is  “the  cloud”? 

Twitter  to  provide 

■  What  should  we  put  there? 

the  entire  world  with 

■  How  will  this  affect  our  SAS70s 

and  our  PCI/SOX/GLB/C-TPAT/ 

upadics  on  wnai 

DCID/HSPD12  compliance? 

technologies  we’re 

■  laaS,  SaaS,  PaaS,  GraaS,  private, 

implementing,  what 

public,  shared,  community, 

mistakes  we’re  making, 

cumulonimbus-Jiminy  Cricket 

and  how  stupid  our 

what’s  going  on  here? 

users  and  nonsecurity  IT 

■  Why  again  is  this  different  from 

people  are.  Interested? 

regular  old  outsourcing? 

Just  tweet  to  @wiggyl07. 

32  www.csoonline.com  March  2010 


Two-Factor  Authentication 


Even  if  a  hacker  has  your  password,  your  account 
remains  secure  ”  -  New  York  Times 


Get  the  strong  two-factor  security  you  need 
to  protect  against  today’s  sophisticated 
threats  without  the  hassle  and  cost  of 
yesterday’s  technology. 


►PhoneFactor 


Easy  to  Setup,  Manage,  and  Use 
Strong  Out-of-Band  Authentication 
Rapid  Regulatory  Compliance 
Far  Less  Expensive  Than  Tokens 


www.phonefactor.com 


1.877.NoToken 


I 

Wik  Ipilf 

§H  S§  iff! 

'  '  X 

k  \  •  -  >1 

t||  A*  v 

1  m 

M  1 

Bk  - 

0  A 

. .  JM 

i 

AT&T 

IBM  Internet  Security  Systems 

SecureWorks 

Symantec 
Verizon  Business 


OF  ALL  THE  WELL-KNOWN  NAMES 
IN  INFORMATION  SECURITY, 

HOW  MANY  ARE  WELL  KNOWN 
FOR  INFORMATION  SECURITY? 


SecureWorks  isn’t  just  one  of  the  best  security  service  providers — it’s  one  of  the  largest.  Our  combination  of 
managed  security,  threat  intelligence  and  consulting  services  protects  2,700  clients,  and  more  than  10  percent 
of  the  Fortune  500?  against  external  and  internal  cyber-threats  around  the  clock.  And  unlike  our  competitors, 
information  security  is  the  only  thing  we  do,  every  day.  You  may  not  be  as  familiar  with  our  name  as  you  are 
with  theirs,  but  if  you  care  about  security,  you  should  be. 


See  what  the  leading  analysts  say  at  secureworks.com/focused 


SecureWorks 


Contact  SecureWorks  at  info@secureworks.com  or  call  877.905.6661. 


©2010  SecureWorks.  All  rights  reserved.  SecureWorks  and  the  SecureWorks  logo  are  registered  trademarks  of  SecureWorks.  All  other  trademarks  are  the  property  of  their  respective  owners. 


mm  FORTIFY 

3  Little  Words 
That  Manage  Your 
Software  Security  Risk. 


Join  Fortify  Software  for  a  series  of  online  and  regional  events 
where  we  bring  some  of  the  top  leaders  in  application  security 
together  to  address  the  single  biggest  threat  you  face  -  the  threats 
lurking  within  the  software  that  supports  your  organization. 

□  FIND 

Locate  the  dangerous  vulnerabilities  lurking  in  your  critical  software  applications. 

□  FIX 

Adopt  sound  application  security  practices  to  contain  and  remove  them. 

□  FORTIFY 

Make  all  your  software  stronger  by  building  security  right  in. 

Application  Security  is  all  we  do.  With  award-winning  products  and  the  widest  range  of  solutions.  Fortify 
Software  is  a  recognized  market  leader  and  trusted  partner  to  more  than  700  organizations  worldwide.  Whether 
you're  just  starting  to  test  your  software's  security,  you're  struggling  to  recover  from  a  breach,  or  you  already 
have  secure  development  processes  in  place -we  meet  you  where  you  are,  then  guide  you  every  step  of  the  way. 

Visit  us  today  and  discover  how  easy  it  is  to  get  started. 


Fortify* 

,  ■  ik  i 


AT&T 

IBM  Internet  Security  Systems 

SecureWorks 

Symantec 
Verizon  Business 


OF  ALL  THE  WELL-KNOWN  NAMES 
IN  INFORMATION  SECURITY, 

HOW  MANY  ARE  WELL  KNOWN 
FOR  INFORMATION  SECURITY? 


SecureWorks  isn’t  just  one  of  the  best  security  service  providers — it’s  one  of  the  largest.  Our  combination  of 
managed  security,  threat  intelligence  and  consulting  services  protects  2,700  clients,  and  more  than  10  percent 
of  the  Fortune  500f  against  external  and  internal  cyber-threats  around  the  clock.  And  unlike  our  competitors, 
information  security  is  the  only  thing  we  do,  every  day.  You  may  not  be  as  familiar  with  our  name  as  you  are 
with  theirs,  but  if  you  care  about  security,  you  should  be. 


See  what  the  leading  analysts  say  at  secureworks.com/focused 


SecureWorks® 


Contact  SecureWorks  at  info@secureworks.com  or  call  877.905.6661. 


©2010  SecureWorks.  All  rights  reserved.  SecureWorks  and  the  SecureWorks  logo  are  registered  trademarks  of  SecureWorks.  All  other  trademarks  are  the  property  of  their  respective  owners. 


